Garmin staggers back online after ransomware attack

So, did they pay up or not?

Graham Cluley
@gcluley


Garmin’s online services are beginning to come back to life after it was hit badly by ransomware last week.

In a press release which – like all of its previous communications on the topic of its outage – seems to go out of its way to avoid using the word “ransomware”, the wearable tech firm for the first time admits that it was “the victim of a cyber attack that encrypted some of [its] systems”:

Garmin Ltd. today announced it was the victim of a cyber attack that encrypted some of our systems on July 23, 2020. As a result, many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications. We immediately began to assess the nature of the attack and started remediation. We have no indication that any customer data, including payment information from Garmin Pay™, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.

Affected systems are being restored and we expect to return to normal operation over the next few days. We do not expect any material impact to our operations or financial results because of this outage. As our affected systems are restored, we expect some delays as the backlog of information is being processed. We are grateful for our customers’ patience and understanding during this incident and look forward to continuing to provide the exceptional customer service and support that has been our hallmark and tradition.

Why the reticence about using the word “ransomware”? Why has it taken until now for Garmin to say that it had fallen foul of a cyber attack, when industry commentators and media outlets have been declaring it a ransomware infection for days.

Well, I suspect there might be a good reason that Garmin is so wary of using the word “ransomware,” and it might be because the first question any tech journalist is likely to ask is, “so did you pay the ransom or not?”

Sign up to our newsletter
Security news, advice, and tips.

And that’s a question that at the moment Garmin doesn’t seem to be racing to answer. Rumours have spread online that the company’s hackers might have demanded as much as $10 million for the decryption key to recover their data.

Whether Garmin is recovering its data due to a payment to the criminals behind the attack (suspected of being the Evil Corp gang) or through good old-fashioned secure backups is also not clear from Garmin’s statement.

One possibility is that Garmin might have used an intermediary to help them uhh.. “resolve” the issue. There are companies out there who offer help to decrypt the data of companies who have been hit by ransomware.

How do these ransomware recovery companies do it? Well, you pay them a small fortune, they give some of it to the bad guys, and then they pass on to you the decryption key. That helps your firm plausibly deny that it paid any money to criminals…

Garmin does seem to be attempting to reassure customers that they have seen “no indication” that their personal data has been accessed.

If true, that’s good news – Garmin’s fitness trackers and other technology could contain a treasure trove of information for intelligence agencies…

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.