$10M ransomware payment could spell legal trouble for Garmin
Garmin makes a wide array of GPS-connected devices, such as fitness bands and personal GPS units used by consumers, as well as devices used by pilots, ship captains, and more. As such, a whole lot of people were affected when Garmin’s networks went down late last week.
Today, the company admitted what was reported before and over the weekend: Garmin’s systems had been hit by a ransomware attack, with a hacking group demanding a $10 million payment to decrypt the company’s networks and restore its products to full, working order. Such schemes typically demand payment in cryptocurrency, most often in either Bitcoin or, increasingly, the privacy coin Monero.
Garmin did not provide much information in its official press release, aside from confirming that the outage was due to an attack and noting that customers’ data does not appear to have been accessed or affected in any way. The company will gradually restore all access to its systems for consumers in the coming days.
However, there’s an interesting wrinkle in all of this beyond the prominent example of a major company dealing with a cyberattack that impacts consumer-facing products and services—and it has to do with the suspected attackers.
Garmin may have just paid a sanctioned entity to get their data back. Probably worth investigating. https://t.co/859Ls6s264
— Nicholas Weaver (@ncweaver) July 27, 2020
According to Sky News and other sources, the attack was done with the WastedLocker ransomware and is believed to have been performed by a Russian hacking group known as Evil Corp. Last December, the United States Treasury announced sanctions against Evil Corp. for its reported role in developing the Dridex malware and working with Russian intelligence to attack Western companies.
American companies are prohibited from doing business with organizations and individuals that have been sanctioned by the US Treasury, so if Garmin did pay a crypto random—which was reported to be as high as $10 million—to obtain the decryption key, then it may have broken the law in the process.
Garmin would not comment on the subject when asked by Sky, and likewise, the US Treasury did not respond to questions from the publication. A source with knowledge of the Garmin situation did tell Sky, however, that a direct payment was not made to hackers.
Even if a third-party paid on behalf of Garmin, that won’t necessarily avoid trouble with the US Treasury, per this regulation: “Foreign persons may be subject to secondary sanctions for knowingly facilitating a significant transaction or transactions with these designated persons.”
For now, there are still question marks: Did Garmin pay the ransom, and if so, how much was it? And if the company did pay, will that then cause trouble with the US Treasury for transacting with a sanctioned foreign party? It’s possible that this disruptive and potentially very expensive short-term headache for Garmin will hurt even more in the long run.