UPDATED: Garmin Suffers Reported Ransomware Attack

2020-07-23T19:43:25
ID THREATPOST:EE45051DD8877CF5DC5BFA4E01A0B240
Type threatpost
Reporter Tara Seals
Modified 2020-07-23T19:43:25

Description

Garmin, maker of fitness trackers, smartwatches and GPS-related products, has reportedly suffered a widespread ransomware attack — though the facts around the cause remain unconfirmed for now.

The manufacturer tweeted on Thursday that its Garmin Connect service is down; Garmin is a free app for tracking, analyzing and sharing health and fitness activities from a Garmin device.

“We are currently experiencing an outage that affects Garmin Connect, and as a result, the Garmin Connect website and mobile app are down at this time,” it acknowledged.

On Thursday night Eastern Time, Garmin also announced that the outage is affecting its commercial aviation offerings, with flight plan filing, account syncing and database concierge capabilities unavailable in the Garmin Pilot app. Also it’s Connext connected cockpit services related to weather, position reports and data from the on-board Central Maintenance Computer (CMC) found on aircraft are down. And, the entire FlyGarmin suite is down, which is an app for Windows, which simplifies avionics database updates and downloads for pilots, such as navigation, charts and more.

“We are currently experiencing an outage that affects flyGarmin and as a result, the flyGarmin website and mobile app are down at this time,” it noted in a website notice. “This outage also affects our call centers, and we are currently unavailable to receive any emails or chats, but do have limited availability for calls. We are working to resolve this issue as quickly as possible and apologize for this inconvenience.”

In-flight phone and SMS services remain available via Iridium; and the FltPlan service (offering runway analysis, safety services, flight planning and more) is fully operational, it said.

But, it also added, “This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience.”

Meanwhile, a local media outlet in Taiwan, where Garmin’s production facilities are based, reported that the outage will soon extend to production lines too: “The production line will be suspended for two days [July 24 and 25]. At the same time, the official website also announced that the company, including the customer service system, map software updates, and application updates, has suspended related services due to system maintenance.”

The tweets and reporting confirm what users have been reporting since the service went down Wednesday night Eastern Time. As the outage has dragged on, users have become aware how much their personal devices interact with the electronics giant’s infrastructure.

Click to enlarge.

“It’s made me realise [sic] how crazy-reliant my Garmin watch is on their infrastructure,” said a poster on a Hacker News forum. “I went onto the app this morning to try and alter a watch face I already have downloaded, which should totally be configurable through just the mobile app alone. Why the hell does it need to talk to Garmin’s servers to let me do this? It should just be possible through the app alone, without needing any involvement from Garmin’s servers.”

Another pointed out the potential danger to personal data: “I am concerned a little for the location of my home now being in the hands of the wrong people.”

The situation has caused widespread speculation that the sheer reach of the outage into Garmin’s infrastructure indicates a ransomware attack; and one outlet said that Garmin employees have confirmed that the WastedLocker ransomware is to blame.

Update: Further reports over the weekend pointed to the WastedLocker ransomware being behind the cyberattack. Sources reportedly shared photos with BleepingComputer of a Garmin computer with encrypted files with the .garminwasted extension on each file’s name.

WastedLocker first appeared on the scene in May, as the work of the Evil Corp group (a.k.a. Dudear). Evil Corp is also associated with the Dridex banking trojan and the BitPaymer ransomware.

Evil Corp’s previous schemes involved capturing banking credentials with Dridex and then making unauthorized electronic funds transfers from unknowing victims’ bank accounts. Money mules would then receive these stolen funds into their bank accounts, and transport the funds overseas. Multiple companies were targeted by Dridex, costing them millions of dollars; victims included two banks, a school district, a petroleum business, building materials supply company and others.

“Wow! This is a doozy,” Saryu Nayyar, CEO at Gurucul, said in an email. “A likely ransomware attack taking down pretty much everything Garmin – website, call center, email, chat, production systems and data-syncing service. You just don’t know when the bad guys are going to attack and who will be their next victim. However, what we do know is every organization is susceptible to ransomware attacks.”

She added, “Hopefully, Garmin has a daily backup regimen for the company’s systems and data – that’s table stakes.”

In December, the Feds started cracking down on the group: U.S. authorities offered up $5 million for information leading to the arrest of Evil Corp. leader Maksim V. Yakubets, 32, of Russia, who goes under the moniker “aqua.” Separately, the U.S. Treasury Department in January issued sanctions against Evil Corp, “as part of a sweeping action against one of the world’s most prolific cybercriminal organizations.”

This is a developing story and Threatpost will update the reporting as it evolves.

This post was updated at 9:15 E.T. on July 24 to reflect the incident’s impact on commercial aviation services; and at 8:41 E.T. on July 27 to reflect new reports linking the attack to the WastedLocker ransomware.