see
url:https://cyclingtips.com/2020/08/report-garmin-secured-decryption-key-paid-ransom-to-hackers-2/
Quote<<<
More than a week after Garmin was crippled by a ransomware attack, the
company’s services continue to return to normality. Activities are said
to be syncing, the company’s store and customer support are open for
business, and Garmin’s factories are starting to hum to life again.
But there are lingering questions that remain from Garmin’s ordeal.
Last week, CyclingTips looked into how the Garmin cyber attack happened,
and what it means for users, with an industry specialist – Oren T.
Dvoskin, of Israeli IT security firm SASA Software – providing insight
into the circumstances that led to Garmin’s downfall and the ripples
that continue to spread from it.
Perhaps the central issue that remains isn’t how it happened, but how
Garmin got it to stop.
Reporting in the wake of the ransomware attack revealed that Garmin had
been hit by the WastedLocker strain of ransomware, a tool of the
matter-of-fact-ly named Russian criminal hacking gang, Evil Corp.
Ransomware, where malicious hackers encrypt a company’s data and hold it
hostage until a ransom has been paid – usually in cryptocurrency – is on
the rise, and Garmin is one of the more high profile companies to have
fallen prey to it. In this case, the price to unlock the encrypted data
was reported to be US$10 million.
Evil Corp has been sanctioned by the US Treasury, which means it would
have been illegal for Garmin to pay the ransom – either directly or
indirectly. However, Sky News reported mid-week that Garmin had
“obtained the decryption key” to recover its files, suggesting that
Garmin had coughed up.
Fresh reporting from BleepingComputer now indicates that to be the case.
The IT security and tech-focussed site claims to have obtained an
executable file created by the Garmin IT department, and from that was
able to demonstrate that Garmin had paid the ransom on either July 24 or
25 – within a couple of days of the attack.
BleepingComputer also reports that it was able to uncover references in
the file to ransomware negotiation firm Coveware, and cybersecurity firm
Emsisoft, indicating that Coveware may have negotiated a deal with Evil
Corp and Emsisoft may have assisted Garmin in streamlining the
decryption. Neither company offered specific comment, although it seems
plausible that Coveware – acting on Garmin’s behalf – negotiated with
and paid Evil Corp, then billed Garmin for services performed.
US travel management firm CWT was the victim of a similar attack last
week, using Ragnar Locker rather than WastedLocker ransomware. In that
case, Reuters reports that the hackers offered a generous discount for
timely payment of the ransom and were cordial and customer-service
oriented throughout the process – CWT’s data was held hostage for the
same amount of US$10 million, but the company ultimately negotiated
payment of just US$4.5 million.
Over the past week and a half, CyclingTips has been in contact with
Garmin, but the company has declined to comment on specific questions
asking firstly, whether Garmin paid the hackers the ransom, and
secondly, whether that took place directly or through a third party.
At this stage, there has been no announcement of fines imposed on Garmin
by the US Treasury. Given Garmin’s 2019 revenue was US$3.75 billion –
with a profit of US$2.23 billion – perhaps any punishment that follows
can be chalked up as a drop in the ocean, and part of the company’s
tough lesson in cybersecurity.
>>>End of Quote
