American firm Garmin reportedly used a ransomware negotiation business, which in turn paid hackers a multi-million dollar ransom
The fallout of the Garmin hack continues this week, with allegations that the US fitness and navigation specialist paid a multi-million dollar ransom to cyber criminals.
Garmin was the victim of a ransomware attack on 23 July, when its systems were impacted by what it initially described as an ‘outage’.
Days later, the American firm admitted it had suffered a ransomware attack. But worryingly, media reports at the time revealed that Garmin had somehow obtained the decryption key to recover its computer files, but the firm “did not directly make a payment to the hackers.”
Arete IR touts that it has “assembled an elite global team of incident response experts to create unparalleled capability to assist clients in preparing for and defending themselves against a cyber-attack, from incident response readiness assessments to post-incident remediation and ongoing hunt services.”
Garmin could have only have obtained a decrypt key if it paid (even indirectly) the hackers (said to be Russia-based Evil Corp), who reportedly used the ransomware malware known as WastedLocker.
Although Garmin may have allegedly made a payment via a third party, it could potentially be at risk of violating US Treasury sanctions against Evil Corp.
However, Garmin could potentially evade investigation here, as the criminals reportedly developed the ransomware after the US sanctions were issued in December, and so it is not mentioned specifically in the US Treasury’s sanction notice.
The US government has not yet made a public attribution linking WastedLocker to the sanctioned individuals.
According to people with knowledge of the matter, speaking to Sky News on the condition of anonymity, Garmin had initially sought to pay the ransom using another firm which specialises in responding to these incidents.
However, this unnamed firm told Garmin that it didn’t negotiate ransom payments in WastedLocker cases due to the risk of running foul of US sanctions.
The sources said after being initially rejected by that unnamed firm, Garmin then sought the services of Arete IR.
Sources with knowledge of the incident told Sky News that Garmin did not directly make a payment to the hackers.
Separate sources confirmed to Sky News that Arete IR made the payment as part of its ransomware negotiation services, although Arete argues that WastedLocker is not conclusively the work of Evil Corp.
Neither Garmin nor Arete IR disputed that the payment was made when offered the opportunity to do so, Sky News reported.
A representative for Arete told Sky News they could not comment regarding Garmin, stating: “Arete has contractual confidentiality obligations to all clients and therefore cannot discuss any client identity or interactions.”
Regarding the allegation that the operators of WastedLocker are covered by US sanctions, they added: “Arete follows all recommended and required screenings to insure compliance with US trade sanctions laws.”
Garmin told Sky News it had no additional comment to make.
Security expert always advise ransomware victims not to pay the ransom, as there is no guarantee they will actually receive the decrypt key from the hackers.
Instead firms are advised to regularly backup systems and files and then restore systems after an attack.
Do you know all about security? Try our quiz!