If your company has been hit by a ransomware attack, would you pay the ransom?
That was a critical question for Garmin last month, after a ransomware attack encrypted its internal network and some production systems. The tech company had to shut down its official website, and deal with disruptions in Garmin Connect’s user data-syncing service, its aviation database services, and even some production lines in Asia. The attackers reportedly demanded a US$10 million ransom in order to restore access.
I followed the developments of this attack with interest, especially because in this period of heightened cyber-risk, large-scale ransomware attacks have been dominating recent headlines. Big multi-national corporations (like Canon, Toll Group, and Nielsen) are featuring in the list of popular targets more frequently. This isn’t surprising, given our current pandemic-afflicted environment is a hotbed for cybercrime. As we battle with an ongoing health crisis, security experts like Microsoft are noting an “uptick in the volume of ransomware attacks” that are cruelly making this crisis worse. New strains of ransomware are emerging, with some cybercriminals also setting their malware to launch more quickly once inside the networks of their victim companies.
It’s only a matter of time before the hunters strike again, so it’s key that as business owners, we’re prepared to not only defend our companies, customers and data from ransomware attacks, but are also able to handle an attack if it occurs.
Here’s a brief summary of what occurred after Garmin was hit by the WastedLocker ransomware, and its response:
- On July 23rd, Garmin India first publicly announced that a disruption had occurred within the company, and tweeted about some servers being shut down due to planned maintenance that would limit the performance of the Garmin Express, Garmin Connect mobile, and its website.
- A few hours later, Garmin's main Twitter and Facebook accounts shared the same outage message about the incident impacting Garmin Connect services, including its mobile app and website, adding that its call centers were also down due to the outage.
- BleepingComputer reported that while Garmin didn't mention it in their outage alert, multiple flyGarmin services used by aircraft pilots were also down, including the flyGarmin website and mobile app, Connext Services (weather and position reports) and Garmin Pilot Apps.
- While Garmin refused to confirm whether these disruptions were triggered by a cyber-attack, third parties (like ZDNet & BleepingComputer) started reporting that the company had been allegedly hit by a WastedLocker ransomware attack. Whistleblowers from within the company revealed that the attack started in Taiwan, and BleepingComputer was told by one of its sources that the attackers were demanding a $10 million ransom. It was believed that this ransomware was linked to Evil Corp, a Russian-based cybercriminal group active since at least 2007.
- On Sunday morning, July 26, Garmin Fenix smartwatches couldn't offer distance and GPS tracking on runs. On a FAQ page dedicated to sharing more information about the ongoing outage, Garmin stated on the same day that it was working to restore systems and that no user data was impacted. Customers, however, took to social media to voice their displeasure at the way Garmin was responding to this attack, calling it “weak”:
- On Monday, July 27, Garmin began restoring services to Garmin Connect. Some functionality was limited, but the basics were working. The company also finally confirmed it had been the victim of a cyber-attack. It stated it still had “no indication that any customer data, including payment information from Garmin Pay™, was accessed, lost or stolen.”
- As of Tuesday, July 28th the Garmin site was back up and activities were syncing again.
- That same day, Sky News reported that the company had obtained the decryption key to recover its computer files, adding that “sources with knowledge of the Garmin incident who spoke to Sky News on the condition of anonymity said that the company… did not directly make a payment to the hackers.”
- On 3rd August, Sky News had more information regarding what had happened, stating Garmin had “paid a multi-million dollar ransom to criminals who encrypted its computer files through a ransomware negotiation business called Arete IR.” It added that “neither Garmin nor Arete IR disputed that the payment was made when offered the opportunity to do so”.
I shudder to think of what Garmin and the people at the centre of it all went through during this multi-day ransomware attack. Being in the cybersecurity industry for over 20 years and having personally gone through a vicious cyberattack in my previous company, my heart goes out to them. The consequences of a disrupting attack such as this are, to put it mildly, grave. Companies can expect massive financial losses and a hit to their reputation (the rapidly trending posts on social media by frustrated Garmin customers was proof). But on top of all this, Garmin had a difficult decision to make.
The critical dilemma
On one hand, there were the risks of paying the ransom. The general rule is, as advocated by the FBI last year, not to pay. Paying up doesn't guarantee restored access to data and “due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key.”
In addition, the FBI states that "paying ransoms emboldens criminals to target other organisations and provides an alluring and lucrative enterprise to other criminals". Paying a ransom could therefore trigger questions as to whether payment constitutes funding criminal groups, terrorism, rogue states, and/or violating anti-money laundering (AML) laws. Doing so may also perpetuate further ransomware attacks and increase the likelihood of your organisation becoming a target again, as cybercriminals could realise you are open and willing to pay a ransom.
To make matters worse, Evil Corp. was sanctioned by the U.S. Treasury Department last December, so paying a ransom to this group could result in hefty fines from the government. A payment through a third party which Garmin allegedly did, could also be subject to Treasury sanctions, that state “foreign persons may be subject to secondary sanctions for knowingly facilitating a significant transaction or transactions with these designated persons,” though Forbes speculated that the payment of the ransom could be written off by Garmin as a tax-deductible business expense.
On the other hand, there were increasingly frustrated customers from all over the world, diminishing
brand reputation, revenue and loss of valuable data. From July 23rd to 27th, Garmin users worldwide weren’t able to use its products, or access its website for more information, support centres were out of commission, manufacturing was brought to a halt, and critically important flyGarmin services used by pilots were also down. The longer the disruptions dragged on, the bigger the tangible and non-tangible losses accrued by the company.
Container shipping company A.P. Moller-Maersk suffered a malware attack in 2017 that cost the company $300 million in lost revenue. Similarly, FedEx estimated a $300 million loss after it was hit by the NotPetya cyber-attack. If that’s an indication of how much Garmin could lose, the $10 million ransom probably paled in comparison. There was also the possibility of loss of personal data and affects on critical infrastructure (like aviation software), that could potentially be of interest to state actors.
Besides the claims made by Sky News, it’s unclear whether Garmin ended up paying the ransom. What is clear though, is that the temptation to pay the ransom amount is real for those businesses who may be crippled by an ongoing attack, losing significant amounts of money, causing inconvenience to customers and suffering from a reputational hit. And many businesses are, rightly or wrongly, giving in to this temptation. 51% of Australian IT and business executives stated in a survey conducted by Telstra last year that they had paid ransomware attackers to regain access to encrypted files. In addition, 79% of Australian respondents said they would pay the ransom again if there were no backup files. The percentage was similar in other regions. Many reasons can account for this trend, ranging from relatively cheaper ransom demands to more hackers resorting to data exfiltration extortion (which essentially involves an attacker taking possession of stolen data and putting it up for sale on forums or marketplaces.)
It’s easy as onlookers and commentators to pass judgements on whether these companies, Garmin included, did the right thing. While their hand may be forced, they may not be valid judgements, and can often vary based on the specific nature of the company, the type of attack, and the risks involved. These are variables that change in every case. That’s perhaps why even the FBI, while strongly advocating victims of ransomware should not pay their attackers, says in the same advisory that it “understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”
Let’s turn this threat into an opportunity
I’m a firm believer in the power of collaboration and sharing our learnings when it comes to defending our businesses against cyber-attacks like these. The recent attack on Garmin is a good case study on the critical pressures & risks businesses face in the aftermath of a ransomware attack, and one we can explore during our conversations with our CISOs on incident response planning, and when deciding the right approach for our company in the event of a ransomware attack.
Prevention is always better than a cure, and proactively boosting your company’s cyber resilience levels can help mitigate the risks of such attacks. Malicious emails continue to be one of the most prolific ways of infecting systems with ransomware. In fact, nine out of 10 cyber-attacks are delivered via email. I strongly recommend adopting a multi-layered approach to your email security. It’s sometimes referred to as a ‘defence in depth’ approach, designed to defend a system against attacks using several different methods, in the event that if one fails, the others will stop the threat.
Even if you have an email security solution in place, explore other solutions to layer your email defences and to protect your brand, your people and your data. No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a third-party cloud email solution like MailGuard to complement Microsoft 365. For more information on how MailGuard can help defend your inboxes, reach out to my team at firstname.lastname@example.org.
The ransomware attack on Garmin was a massive threat to the company, but we can turn this threat into an opportunity for all of us. An opportunity for us to recognise the risks of this all-too-real dilemma and use it to ask the right questions and generate further discussion, so we can be better prepared to protect our businesses, especially in this period of heightened cyber-risk.
Stay safe, everyone.
Should companies hit by a ransomware attack pay the ransom? Share your thoughts with me below.