_All signs point to Garmin having paid the ransom to its 'hackers'. According to Sky, it would have done so through a third party acting as an intermediary.__The alleged group of attackers is well known to the U.S. Treasury, wanted by authorities, meaning any financial transfer would be illegal._Last Thursday, Garmin woke up in Europe with its systems completely down. A blackout — informational as well — that would drag on for the following four days and which the company is still trying to fully put behind it. A data encryption attack, known as ransomware, was suspected and ultimately confirmed by the company.
Faced with this scenario and considering the scope — some sources pointed to the shutdown of production lines in Taiwan — Garmin ended up reacting relatively quickly. BleepingComputer pointed to the involvement of a hacker group known as Evil Corp, which according to some sources was demanding up to $10 million in ransom.
According to Sky News, citing sources close to the incident, Garmin had at the very least obtained the key to decrypt its systems, rather than recovering the data via a backup of its servers and equipment. At this point, the most likely scenario is that it agreed to pay the ransom — whatever the amount — to the hacker group. Though not directly.
Evil Corp, wanted by authorities
The conflict that arises is not only a violation of the maxim "you don't negotiate with terrorists," but could also materialise in the form of sanctions. Evil Corp are, by no means, first-time black hat hackers. They would have made use of malware believed to have been developed by them, known as WastedLocker.
Eight months prior, the U.S. Department of the Treasury had already sanctioned this group, describing them as a "Russia-based cybercriminal organization" responsible for the development and distribution of the Dridex malware. With this tool, they had already stolen more than $100 million in banking assets across up to 40 countries.
So much so that the person considered the ringleader of this organization, Maksim Yakubets, has an arrest warrant issued by the U.S. Department of State, with a reward of no less than $5 million.
This is why negotiating with a criminal organization of this kind does not come for free, on top of the multimillion-dollar ransom. While "Americans are prohibited from conducting transactions," it remains unclear whether Garmin — a U.S.-headquartered company listed on the Nasdaq index — can yield to the blackmail simply in the case of an extortion. Contacted by Sky, the U.S. Treasury did not clarify this point.
The lesser evil
Faced with the risk of having a large portion of its systems encrypted, and under the more than likely pressure from the hackers in their usual tactic of threatening to delete everything entirely — often imposing deadlines — Garmin was most likely caught between a rock and a hard place. However, it does not appear that they simply opted to make a direct transfer to this group through traditional means.
This is why, according to the aforementioned outlet and sources close to the incident, Garmin apparently opted for a murkier route: using an intermediary through which to make the payment. This would also not be entirely legal, as U.S. law also contemplates these types of workarounds that attempt to bypass direct controls through third parties abroad:
(adsbygoogle = window.adsbygoogle || []).push({});
Foreign persons may be subject to secondary sanctions for knowingly facilitating one or more significant transactions with those designated personsWhen asked by various outlets, the tech company did not deny making a payment through a bridge entity, but simply declined to comment on the information.
The lesson to be learned
Garmin told media on Tuesday in a statement that they had "no indication that any customer data, including payment information from Garmin Pay, was accessed, lost, or stolen." This does not, of course, mean they are certain that no one has accessed this information.
The most modern post-intrusion ransomware techniques are increasingly aggressive toward targeted organizations. In this case, there are no guarantees that this information was not accessed before being encrypted. In fact, as the specialized outlet Secure Works notes, "even with backups, recovery will likely take weeks or months, not days." This would be a strong indicator that, once again, Garmin obtained the encryption keys from the attackers.
Nevertheless, it seems clear that Garmin had far more to lose in the short term from the attack than the alleged $10 million ransom. Even if it meant risking a possible but future fine. Having systems down for weeks or months seems like a worse option than paying that amount for a company that just reported revenues of $870 million — $188 million of which in profit — during the second quarter of the year.
That said, there are many experts who point to the possibility of this ordeal repeating itself at Garmin. As Forbes reports, Bharat Mistry, Director of Security Strategy at Trend Micro, states that this type of capitulation "opens a door," "it tells every would-be criminal, let's give it a shot" with them. Mistry suggests that perhaps they "don't have a backup of the data, that could be the reason they paid."
What is clear is that, after watching how multiple large companies have recently fallen victim to these types of attacks, having a contingency plan is imperative. That starts with having backups of all data, and protocols with the redundancy necessary to deploy them effectively. But also with the willingness to communicate to users, customers, and partners what is happening in an effective way — without waiting four days for everything to simply be resolved. Or not.
Source: BleepingComputer, hipertextual.
Leave a Comment
Comments are reviewed before publishing.