On July 23, 2020, Garmin experienced a global outage where customers could not access their connected services, including Garmin Connect, flyGarmin, Strava, inReach solutions.
BleepingComputer was the first to confirm that they had suffered a cyber attack from the operators of WastedLocker Ransomware after employees shared photos of encrypted workstations, and we found a sample of the ransomware used in the attack.
Employees later shared with BleepingComputer that the ransom demand was $ 10 million.
After a four-day outage, Garmin suddenly announced that it was starting to restore services, leading us to suspect that they had paid the ransom to receive a decryptor.
Garmin declined to comment further, however.
Confirmed: Garmin received a WastedLocker decryption key
Today, BleepingComputer had access to an executable created by Garmin IT to decrypt a workstation and then install various security software on the machine.
WastedLocker is ransomware targeted at businesses with no known weaknesses in their encryption algorithm. This lack of loopholes means that a decryptor cannot be created for free.
To get a working decryption key, Garmin must have paid the ransom to the attackers. It is not known how much was paid, but as previously reported, an employee told BleepingComputer that the initial ransom demand was $ 10 million.
Once extracted, this restore package includes various security software installers, decryption key, WastedLocker decryptor, and script to run them all.
Once executed, the restore package decrypts the computer and then prepares the machine with security software.
Garmin’s script contains a timestamp of ’07 / 25/2020 ‘, which indicates that the ransom was paid on July 24 or July 25.
Using the example of WastedLocker from the Garmin attack, BleepingComputer encrypted a virtual machine and tested the decryptor to see if it would decrypt our files.
In our test, demonstrated in the video below, the decryptor had no problem decrypting our files.
All businesses should follow the general rule of wiping all computers and installing a clean image after a ransomware attack. This reinstallation is necessary because you never know what the attackers changed during their foray.
From the script above, it doesn’t appear that Garmin is following this guideline and just decrypting workstations and installing security software.
Custom decryptor used
The decryptor included in the package includes references to cybersecurity company Emsisoft and ransomware trading services company Coveware.
When BleepingComputer contacted Coveware, we were told that they were not commenting on any ransomware incidents reported in the media.
In a similar response, Emsisoft told us that they cannot comment on any cases, but are creating decryption tools and are not involved in ransom payments.
“I cannot comment on specific cases, but in general, Emsisoft has no involvement in the negotiation or transaction of ransom payments. We’re just creating decryption tools, ”Brett Callow, threat analyst at security firm Emsisoft, told BleepingComputer.
Emsisoft typically manufactures custom ransomware decryptors when the tools provided by the threat actors are buggy or if companies are concerned about containing backdoors.
“If the ransom has been paid but the decryptor provided by the attacker is slow or faulty, we can extract the decryption code and create a custom solution that decrypts up to 50% faster with less risk of damage or loss. data loss ”, the Emsisoft ransomware states on the Recovery Services page.
As Evil Corp has been credited as the creator of WastedLocker and been placed on the US sanctions list for using Dridex to cause over $ 100 million in financial damage, paying for this ransomware could result in hefty fines from of the government.
Because of the sanctions, sources close to Coveware told BleepingComputer that the trading firm placed WastedLocker on its shortlist in early July and was not handling negotiations for the associated attacks.
Garmin has not answered our questions at this time.