Evil Corp operators used WastedLocker ransomware to encrypt systems on Garmin’s network, which has led to a significant worldwide outage of multiple services and products, including Garmin Connect, Garmin Explore, Garmin inReach, and flyGarmin.
A Garmin employee said that they first learned of the attack when they arrived at their office on Thursday morning. The Garmin IT department had tried to remotely shut down all computers on the network as devices were being encrypted, including home computers connected via VPN. After being unable to do so, employees were told to shut down any computer on the network that they had access to.
As part of this company-wide shutdown, Garmin did a hard shutdown of all devices hosted in a data center as well to prevent them from possibly being encrypted. This company-wide shutdown is what caused the global outage for Garmin Connect and other connected services.
iThome published a report on a Garmin internal memo about a ‘virus’ attack affecting the company’s internal IT servers and databases that caused Garmin Taiwan factories to shut down production lines.
Reports state that the attack started in Taiwan, which coincides with the location of one of the users who uploaded the sample to VirusTotal. BleepingComputer was told by one of its sources that the attackers are demanding a $10 million ransom.
Evil Corp’s WastedLocker ransomware
Evil Corp (aka the Dridex gang) is a Russian-based cybercriminal group active since at least 2007 known to be the ones behind Dridex malware and for using ransomware as part of their attacks including Locky ransomware and their own ransomware strain known as BitPaymer.
The U.S. Treasury Department sanctioned the Evil Corp gang in December 2019 after using Dridex to cause more than $100 million in financial damages. Due to this sanction, it’s a tricky situation for Garmin. If they wanted to pay the ransom, they would potentially be violating United States sanctions.
Since 2019, the hacking group has refreshed their tactics and are once again involved in the ransomware “business,” deploying their new WastedLocker ransomware in targeted corporate attacks and asking for ransoms of millions of dollars.
Last month, Evil Corp was blocked from deploying WastedLocker ransomware as part of dozens of attacks against major U.S. corporations, including multiple Fortune 500 companies. However, they did manage to compromise devices used by employees of over 30 major US private firms using fake software update alerts displayed by the malicious SocGholish JavaScript-based framework delivered through dozens of hacked U.S. newspaper websites.
Although Garmin Connect is not accessible during the outage, activity and health and wellness data collected from Garmin devices during the outage is stored on the device and will appear in Garmin Connect once the user syncs their device.
Update: Garmin says on a page dedicated to sharing more information about the ongoing outage that they are working to restore systems and there’s no indication that this outage has affected user data, including activity, payment or other personal information.
Emails sent to Garmin for more information on this incident, continue to bounce back as the mail servers are shut down.