Garmin’s admission this week that a ransomware attack had encrypted some its systems last Wednesday raised as many questions as it answered.
One of the world leaders in activity tracking gadgets, it said many of its online services were interrupted, “including website functions, customer support, customer facing applications, and company communications”.
“We immediately began to assess the nature of the attack and started remediation,” it said in a statement on Monday. “We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.”
Of course, online services have become among the key functions of its devices – allowing users to update and analyse their physical activity statistics – suggesting the organisation is attempting to downplay the incident.
Garmin’s woe’s deepened when it emerged that it had probably paid a ransom to obtain a decryption key from Evil Corp, the Russian hacking group behind the WastedLocker malware that was used to encrypt the systems. The ransom demand had reportedly been for $10-million.
“If in fact Garmin paid the astronomically high ransom to obtain the decryption key, the popular connected device maker could find itself in legal trouble for breaching a US Treasury sanction that prohibits such transactions,” says Chester Wisniewski, principal research scientist at British data security provider Sophos. “In paying, the sanction’s intended purpose of eliminating cyber-criminal activity is wholly defeated.”
The prohibition against paying ransomware is also a basic principle of combating ransomware: it is broadly agreed that any such payment validates the ransomware “business model”. As a result, it not only encourages further attacks, but also provides a form of validation to other victims in that it suggests that payments are an appropriate response.
As Wisniewski puts it, “Victims crippled by ransomware often find themselves faced with the same prisoner’s dilemma of whether to pay or bite the bullet. It’s a no win situation that usually boils down to the lesser of two costs. But as research shows, paying the ransom usually doubles the total cost of remediation.”
He cautions against faulting the victims, however.
“Regardless of how Garmin is picking itself back up and restoring operations, victim shaming isn’t the answer. The ransomware threat landscape is rapidly and constantly changing as cyber criminals invest significant resources and expertise into their toolsets. Unfortunately, no one is off limits, and the industry needs to band together as a whole to raise the bar of protection and make it harder for these relentless attackers to succeed.”
Nevertheless, it is also clear that the fundamental need in this landscape is better preparation.
“It is sadly no surprise to see another organisation fall victim to a suspected ransomware attack,” says Carl Wearn, head of e-crime at Mimecast, who warns that South African organisations are especially vulnerable.
“Our recent State of Email Security report found that 45% of companies in South Africa have been impacted by ransomware attacks in the last year,” he says. “The key thing is that as long as organisations continue to pay, attackers will view this attack approach as being financially viable.
“This particular attack is also worrying because of the type of data that could be lost, including both location and personal health data. When consumers trust organisations with this data, it is absolutely vital that it is kept secure. Incidents like these can have devastating consequences for the reputation of an organisation.”
Garmin said on Monday: “Affected systems are being restored and we expect to return to normal operation over the next few days. We do not expect any material impact to our operations or financial results because of this outage. As our affected systems are restored, we expect some delays as the backlog of information is being processed.”
This may be an over-optimistic outlook, as is the company’s argument that device functionality is not affected.
“It is clear in this instance that the victim has experienced lengthy downtime as a result of this attack, which will of course have a massive impact upon the business,” says Wearn. “Our research found that the average downtime an organisation suffers from a ransomware attack is three days, but this can of course be indefinite and lead to failure of a business. This is happening.”
Read more on the next page about such attacks, and how companies can protect themselves.