In this post
Update July 27 23:27
Garmin has now confirmed the hack on the 23rd. There is no record of any data being accessed or stolen, including data relating to Garmin Pay. You can find the full press release at this linkor find it at the end of the article.
Update July 27 08:30
Garmin starts to recover systems, and gradually gets back to operational services.you can check the statuses directly from here.
New chapter in the "Garmin incident", or how all Garmin services are down due to the hacking they have suffered.
At this point we already know from internal sources that indeed everything surrounding the Garmin downtime incident was due to a cyber attack that was distributed throughout their network.
You're probably already aware of the whole incident, but just in case, let's take a look at what happened.
The Garmin incident step by step
It all started around July 23rd. Without prior notification, all Garmin services stopped working. What started as a possible unscheduled maintenance started to drag on for hours. No services were working, and the only official notification we had was that Garmin had suffered an unscheduled network outage and that they were working on resolving it.
When someone trips over the plug cord... pic.twitter.com/kHsRxShMpU
- Eduardo correrunamaraton.com (@Correr1Maraton) July 23, 2020
In other words, an unexpected situation, but one that was within the realm of possibility at any given time. A few hours of downtime, some work by the IT department, and little else.
However, after many hours without service (email, call center... even the sales service has been interrupted), the first rumors came out. Garmin had suffered a "ramsonware" attack that had forced the company to shut down ALL computers and services.
- Eduardo correrunamaraton.com (@Correr1Maraton) July 23, 2020
The official position of Garmin at the moment remains the same, there is no change in the official message and all services are still interrupted. However, they have modified the service status page and now everything is shown in a clearer way. At least we know that in one way or another it is being worked on.
But today the news broke. The ramsonware attack has been confirmed through internal sources (not officially). Thanks to the website www.bleepingcomputer.com we have more details of what happened.
What is a ramsonware attack
Ramsonware attacks are one of the cybercrimes that have been growing the most in recent years. Groups of hackers manage to introduce a virus in one of the computers of the attacked institution or company, and this is reproduced through all the devices connected to the same network. And not only the local network, but as soon as there is a VPN network, it will be distributed worldwide.
The introduction of this virus is done through social engineering, usually by sending an e-mail file to try to get someone in the company to execute it and infect the first computer.
The way the ramsonware virus works is, first of all, to spread. The virus will not stay on a single computer but is programmed to reach as far as possible any device connected to the network.
Later, at a certain date and time, it will be activated and all the data on the infected computer will be encrypted. At that moment the hacker group will contact the company or institution asking for a certain amount of money as a ransom for all the decrypted data.
The ramsonware attack suffered by Garmin
As mentioned above, the internal source has confirmed that the infection suffered by Garmin was caused by the WastedLocker virus. As soon as the attack became known, Garmin system administrators tried to shut down ALL devices on the network as soon as possible, trying to prevent further file encryption.
But keep in mind that by the time the encryption is starting the infection has already occurred, so it is simply a matter of time and the amount of files on each computer.
They were unable to shut down the devices, and employees had to manually shut down all devices to which they had access.
On all infected computers, the files were encrypted with the extension .garminwastedtogether with the ransom note on each of them. These are the images provided by the source to the www.bleepingcomputer.com website.
This shutdown of all devices is what caused the downtime of Garmin's services. Therefore it is not known what has been affected, if the virus has simply stayed in the computers of the company's staff or if it has also affected the servers where the services are hosted. Therefore, the disruption occurred while trying to save most of the files, and there are still no details as to how far podido has gone with the encryption.
What hackers ask of Garmin
According to that inside source, the hackers have demanded $10 million as ransom for the files, of course to be paid with Bitcoin and with no way to be traced.
My personal opinion is that Garmin should not give in to this blackmail, as it is the only way to prevent it from happening in the future. If the hackers get that ransom nothing will prevent them to act similarly again, or for other groups to do the same to other companies or institutions.
Has your data been leaked?
Probably not. These types of attacks focus on encrypting data to render it unusable except for those who have the key to decrypt, but are not focused on stealing user data, passwords or private data.
Of course, nothing can be confirmed, at least not until Garmin makes a statement. Data protection laws are clear in this regard: if there is a leak of private data the company has 72 hours to report it, once it has verified that it has occurred.
Therefore, if Garmin identifies that, in addition to the encryption, a theft of private data has occurred, it must send a communication to its customers within a maximum of three days from the time they confirm it. That is to say, from the moment they have confirmed it and not from the moment that the services are down.
Official press release from Garmin on the matter
On July 27th Garmin has finally issued a press release, explaining very lightly what has happened. It should be remembered that it is under police investigation, so they can't tell much more details either. Below I copy the content of the press release:
Statement from Garmin on recent incident
Affected systems are being restored and are expected to operate normally soon.
July 27, 2020.- Garmin announces that we have been the victim of a cyber-attack that encrypted some of our systems on July 23, 2020. As a result, many of our online services were disrupted, including website functions, customer support, customer applications and company communications. We immediately began assessing the nature of the attack and began remediation. We have no indication that any customer data, including Garmin Pay™ payment information, was accessed, lost or stolen. In addition, the functionality of Garmin products was not affected, other than the ability to access online services.
The affected systems are being restored and we expect to return to normal operations in the next few days. We do not expect any material impact on our operations or financial results due to this outage. In the process of restoring our system, information will be restored gradually and 1TP10Could experience delays. We appreciate our customers' patience and understanding during this incident and look forward to continuing to provide the exceptional customer service and support that has always been our hallmark and tradition.
That's the way things are at the moment. My recommendation is to be patient, because this may last a few more days. In the meantime podéis continue to synchronize your Garmin manually even if Garmin Connect is not operational..
However, be sure that your phones and computers are safe and that you have nothing to fear, even if you have Garmin software installed, you are not inside their network.
And with that... thanks for reading!