💰💣

Garmin Security Incident

late July 2020 1888 days ago Resolved

Incident Overview

Situation Description

Garmin experienced a cyberattack in late July 2020 that disrupted its online services and encrypted some internal systems.

Event Types

Ransomware Malware / Destructive Attack

Industry Sector

Technology

Geographic Scope

nan

Response Actions

Took Systems or Services Offline Restored Systems from Secure Backups Managed Public Narrative & Crisis Communications

Impact Analysis

Event Types (2 identified)

Ransomware Malware / Destructive Attack

Financial Impact

$0 USD

Records Affected

Data Types Compromised

N/A

Primary Impacts

Operational Disruption

Key Decisions Made

Garmin confirmed it was hit by a cyberattack that interrupted online services and encrypted some internal systems.; Garmin reported that services are up and running again, although data synchronization might be slow and is still limited in some individual cases.; Garmin stated there is no evidence anyone gained unauthorized access to user data during the incident.

Technical Analysis

Attack Method

Unknown

Threat Actor Attribution

WastedLocker

Additional Information

In late July 2020, tech news sites were brimming with articles about Garmin. Various Garmin services, including device syncing with the cloud and tools for pilots, were disabled. The dearth of accurate information left everyone theorizing wildly. For our part, we decided to wait for some concrete data before assessing the situation. In its official statement , Garmin confirmed that it had been hit by a cyberattack that interrupted online services and encrypted some internal systems. The information available at the time of this writing indicates that the attackers used the WastedLocker ransomware. Our experts performed a detailed technical analysis of the malware, and here are their main findings. WastedLocker ransomware WastedLocker is an example of targeted ransomware malware tweaked to attack a specific company. The ransom message referred to the victim by name, and all encrypted files got the additional extension .garminwasted . The cybercriminals cryptographic scheme points to the same conclusion. Files were encrypted using the AES and RSA algorithms, which ransomware creators often use in combination. However, one public RSA key is used to encrypt files, rather than one generated uniquely for each infection. In other words, if this ransomware modification were used against multiple targets, the data-decryption program would be general-purpose, because there would have to be one private key as well. In addition, the ransomware displays the following curious features: Prioritizing of data encryption, meaning the cybercriminals can specify a particular directory of files to encrypt first. That maximizes damage in case security mechanisms stop the data encryption before its complete; Support for file encryption on remote network resources; Privilege checking and use of DLL hijacking for privilege elevation. Youll find detailed analysis of the ransomware in the WastedLocker: technical analysis post on Securelist. Hows Garmin doing? According to the companys...

... (truncated for display)

Quick Facts

Company:: Garmin
Date:: late July 2020
Status:: Resolved
Decision Maker:: nan
Position:: nan
Published:: nan

Source Information

Original Query

how did "Garmin" recover from "WastedLocker" ransomware attack

View Original Source

Timeline

Information Published

nan

Incident Occurred

late July 2020 (1888 days ago)

Status: Resolved

Estimated resolution based on age

Actions

View Company Profile

Navigation

Quick Stats