Garmin. Wow. I am a Garmin user, and have been for quite a while. This Wastedlocker ransomware fiasco has sowed seeds of doubt in my mind about whether I should continue using Garmin services. Not only that, but it has also instilled doubt about their leadership and cybersecurity practices. The whole situation was a complete mess.
A bit of backstory for those that don’t know what happened. On July 23rd 2020, Garmin fell victim to a ransomware attack, which caused many consumer services of theirs to go offline. Garmin’s official stance was that, “Garmin was the victim of a cyber attack that encrypted some of our systems on July 23, 2020.” From a consumer point of view, Garmin using the adjective some is almost laughable. Many of their services were unusable during the outage caused by the attack. Garmin were incommunicado and a lot of information was relayed by Garmin employees, not through official channels. For example, the official Garmin Twitter account tweeted out twice on the 23rd of July then was silent for two days. Two more tweets and then silence for another two days. On the 27th there were another two tweets and then nothing again until August 4th. Their last tweet was just advertising for a wristwatch. Even Garmin’s official blog post about the ransomeware attack was very lacklustre.
It has been speculated that Garmin paid the ransom to have the decryption keys handed over. It is possible they used a third party service such as No More Ransom, however this is unlikely as No More Ransom do not have the Wastelocker ransomware listed in their decryption tools. My advice is to never pay the ransom, read more about it in this post. The No More Ransom project more or less echo this sentiment, stating, “The general advice is not to pay the ransom. By sending your money to cybercriminals you’ll only confirm that ransomware works, and there’s no guarantee you’ll get the decryption key you need in return.”
Garmin need to step up their cybersecurity game. Going by the limited information available, we can make some assumptions:
- The breadth of services affected by this ransomware indicate there may not be a lot of security linking internal systems
- Garmin need to take a more layered, defense in depth approach to security. If ransomware infects a web server, it should not be able to easily infect other systems such as Billing.
- If Garmin utilised incremental off-site backups the turnaround time for getting systems back online would have been minimal. Yes they may have lost some data, but I would argue that losing a couple hours worth of data is much better than having services completely offline for 5 days. Yes, there were services that were offline for 5 days. Granted Garmin’s PR in relation to the ransomware attack did not help their reputation in the slightest.
- I realise that creating and maintaining incremental backups for a company such as Garmin would be complex, time-consuming and possibly quite costly. BUT, having a blasé attitude toward security can be much more costly. $10,000,000 more costly to be exact (assuming Garmin paid the ransom to receive the decryption keys).
Out of curiosity I went browsing the Garmin job vacancies for anything security-related. Two jobs stuck out. In particular, Team Leader IT Security Operations and Aviation Cyber Security Systems Engineer. Though they were not up-front about when these roles were posted, searching the source code of the relevant pages indicated the jobs were updated on 2020-03-28 and 2020-03-30 respectively. Obviously speculating about these positions and the timing of their posting would be just that, speculation, it is still quite curious. I wonder if they ever managed to fill the positions…
Want a good laugh? Check out our other blog created entirely by artificial intelligence (AI).
I'm also testing an alternative to Facebook called Dots Mesh, developed by Ivo Petkov - my instance is available here
- Because I am testing it and hosting it myself I am making it free of charge