Garmin Left to Deal with a Devastating Ransomware Attack

For Garmin’s vast user base the news that something is wrong with the services offered, is perhaps painfully old by now. In summary, reports began emerging as soon as July 23 that large swathes of the company’s services were offline. The company remained quiet as to why services were offline except for a tweet and an announcement via their website. In time several employees would speak out and say that the company had experienced a ransomware attack, what’s more, the offending piece of malware was WastedLocker. In even another staggering twist, reports emerged that 10 million USD was being demanded as a ransom by the cybercriminals behind the attack.

Tracing the attack timeline in further detail reveals that Garmin’s response to the incident can be called flawed at best. As a result of the attack, the company was forced to shut down its website, call center, and many of the services offered by the company’s smartwatch products. As a result all customer service channels including chat and email options that are typically offered. With little to no explanation of why customers were left scratching their heads with no real way to find out why the products they spent a significant amount of money on no longer function as advertised. For many, any synchronizing of fitness data and performance monitoring had gone the way of the dodo. All that was offered to customers was,

“We are currently experiencing an outage that affects Garmin.com and Garmin Connect. This outage also affects our call centers and we are currently unable to receive any calls, emails, or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience.”

Worryingly it was not just the end-user tracking products that were affected but reports also stated that Garmin’s aviation offerings were also affected by the ransomware attack. Pilots reported that they had not been able to download new Garmin software with up-to-date versions of the aviation database, which is a legal requirement for flying.

garmin ransomware attack

The Garmin Pilot app, which is used to schedule and plan flights, was also hit by the attack. Despite, the severity of the impact, affected parties will still be left in the dark as to what the problem was. As mentioned above, it was employees who leaked information to news sources stating that the company had indeed suffered a ransomware attack. Further, an internal memo for the Taiwanese department of the business was released to Taiwanese media stating that the outage was caused by a “virus”. In today’s current threat landscape, malware that can take out the number of operations, as experienced by Garmin, is ransomware. More importantly, ransomware deployed by experienced ransomware operators, such as those behind WastedLocker.

WastedLocker and EvilCorp

If WastedLocker was indeed the ransomware deployed in the Garmin incident, then the company suffered an attack by one of the world’s more infamous cybercriminal gangs “Evil Corp”. The gang’s alleged leader, Maksim Viktorovich Yakubets, 33, has a 5 million USD bounty on his head offered the Federal Bureau of Investigation. In what may be considered a badge of honor, especially those residing within the cybercrime underground, the bounty is the largest ever offered on someone alleged to participate in cybercrimes. Historically, the gang has been incredibly focussed on who it targets and is best known for the deployment of Dridex, a banking trojan, and Bitpaymer, another ransomware strain.

WastedLocker is widely regarded as the newest piece of malware added to Evil Corp’s toolbox. It is regarded by researchers as being developed and deployed by Evil Corp as it uses many of the tactics used by the group over the years. In a technical report published by Symantec how a WastedLocker attack plays out is as follows:

  • The initial compromise of an organization involves the SocGholish framework, which is delivered to the victim in a zipped file via compromised legitimate websites. Symantec has discovered at least 150 different legitimate websites that refer traffic to websites hosting the SocGholish zip file. It is possible that these websites lead to different malware, as such redirection services can be utilized by multiple actors at the same time.
  • The zipped file contains malicious JavaScript, masquerading as a browser update. A second JavaScript file is then executed by wscript.exe. This JavaScript first profiles the computer using commands such as whoami, net user, and net group, then uses PowerShell to download additional discovery related PowerShell scripts.
  • The next stage of the attack is to deploy Cobalt Strike. PowerShell is used to download and execute a loader from a domain publicly reported as being used to deliver Cobalt Strike as part of WastedLocker attacks. The loader also shared a command and control (C&C) domain with this reported Cobalt Strike infrastructure. The loader contained a .NET injector, also reportedly seen in WastedLocker attacks. The injector, along with the loader for Cobalt Strike Beacon, is reportedly taken from an open-source project called Donut, which is designed to help inject and execute in-memory payloads.
  • In order to deploy the ransomware, the attackers use the Windows Sysinternals tool PsExec to launch a legitimate command line tool for managing Windows Defender (mpcmdrun.exe) to disable scanning of all downloaded files and attachments, remove all installed definitions, and, in some cases, disable real-time monitoring.

When WastedLocker was discovered by researchers it was also discovered that Evil Corp was targeting large US enterprises. In the campaign discovered by Symantec security researchers 31 US organizations, including a number of media and newspaper organizations, were actively targeted by Evil Corp. For Garmin to appear on Evil Corp’s radar is well within the group's known attack methods and tactics. There is one silver lining that Garmin may take from the experience and that is Evil Corp does not appear to release stolen data to the public or auction it off to the highest bidder. In recent months this has become a favored tactic by many other ransomware gangs, including DoppelPaymer a gang which is believed to have parted ways with Evil Corp. DoppelPaymer shares many similarities with BitPaymer and is seen by the InfoSec community to be a fork from Evil Corp's initial contribution to the ransomware family tree that is sadly ever-expanding.

Terrible Timing

While Evil Corp might not release stolen data that is where the good news ends. The 10 million USD ransom demanded is a staggering amount, however, there has been no indication that the company paid the ransom. This is something the wider public may never know. The reputational damage is done to the company following the incident, while difficult to initially quantify, may be seen more clearly when the company announces its earnings. Wall Street may see a steep drop in Garmin’s stock as a result. It is important to remember that Garmin does not just offer wearable smartwatches but is involved in a number of critical infrastructure projects including both the aviation and automobile industries.

The reputational damage is made worse by Garmin’s poor crisis management response and leaving consumers in the dark only to be informed by media outlets relying on whistleblowers within the company. When one looks at the amount of sensitive data the company collects the poor crisis management does not bode well for the company’s reputation and earnings. As it is comparisons to Strava are already being made. In that incident Strava’s fitness trackers were often used by US military personnel. The data collected was anonymized but the data could still be used to track personnel and the locations of sensitive US Government sites. This led to the Pentagon banning the use of Strava devices.

While some at Garmin may chalk up the incident to terrible timing with earnings reports to be issued, the truth of the matter is that all cyber incidents can be chalked up to terrible timing. With numerous high profile cyber incidents occurring on a weekly basis the reality is companies are targeted and will fall victim to cybercriminals. What is of importance is how the company responds, especially when the company collects sensitive data from the devices it produces and sells. Researchers and customers alike have already started commenting on how Garmin’s network was set up so that a ransomware attack could render so many systems inoperable, especially critical systems used in the aviation industry.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal