[BreachExchange] Garmin Risks Repeat Attack If It Paid $10 Million Ransom

Destry Winant destry at riskbasedsecurity.com
Tue Jul 28 10:32:05 EDT 2020


https://www.forbes.com/sites/barrycollins/2020/07/28/garmin-risks-repeat-attack-if-it-paid-10-million-ransom/#fe57ac14a6e7

A security expert has warned that Garmin is now an even bigger target
if it paid the alleged $10 million ransom to free its systems of
malware.

Several Garmin apps and the company’s manufacturing plants were
knocked offline on Friday, after the company suffered what’s reported
to be a ransomware attack. Ransomware encrypts files on computers and
spreads across a network, crippling systems until either a fee is paid
for the decryption key or one can be found by other means.

Garmin’s systems started to come back online yesterday, shortly before
the company issued a statement confirming that “it was the victim of a
cyber attack that encrypted some of our systems”.

A report from BleepingComputer suggested the ransom fee was set at $10
million. A separate report from Sky News published yesterday claims
Garmin obtained the decryption key for the ransomware, but that the
company did not pay the hackers directly. However, Sky claims Garmin
repeatedly refused to deny that the ransom payment could have been
made via a third party, claiming it “does not comment on rumor or
speculation”.

Garmin had not responded to a request for comment at the time of publication.

A mistake to pay?

Security experts say that paying hackers - either directly or
indirectly - to free systems from ransomware can create even bigger
problems for the companies who do so.

“To my mind, you should not pay a ransom at all,” said Bharat Mistry,
principal security strategist at Trend Micro, who stressed he had no
direct knowledge of whether Garmin had paid the ransom or not.

Mistry said that paying ransoms makes companies an even bigger target,
because “it means other people are going to have a go at breaking into
the network,” because of the potential rewards. “It opens a door,”
Mistry said. “It says to all would-be criminals, let’s have a pop.”


Furthermore, there’s no guarantee that the original attackers will not
strike again, even after the ransom has been paid. “You don’t know
what they’re going to do or what they’ve left behind,” said Mistry. He
claims there have been previous instances of “timebombs” left on
victims’ networks, which encrypt computers for a second time, even
after a ransom has been paid.

Threat to go public

Mistry says that Garmin may have been backed into a corner if the
company - or a third-party intermediary - entered into negotiations
with the hackers. The hackers may have issued a “countdown timer”,
threatening to delete the company’s files unless the ransom was paid
within a matter of days or weeks, Mistry claims.

“The threat could be complete destruction of files or a threat to
expose the data to public disclosure on a website,” he said.

“If it’s the case with Garmin that it doesn’t have stuff backed up, it
could be the reason it has paid.”

In the statement issued yesterday, Garmin said that it had “no
indication that any customer data, including payment information from
Garmin Pay, was accessed, lost or stolen. Additionally, the
functionality of Garmin products was not affected, other than the
ability to access online services.”


More information about the BreachExchange mailing list