If a company has been hit by a ransomware attack, should it pay the ransom?
That question has been on my mind lately, especially because large-scale ransomware attacks have been dominating recent headlines. Big multi-national corporations (like Canon, Toll Group, and Nielsen) are featuring in the list of companies impacted. It isn’t surprising; our current pandemic-afflicted environment is a hotbed for cybercrime. As we battle with an ongoing health crisis, security experts like Microsoft are noting an “uptick in the volume of ransomware attacks” that are cruelly making this crisis worse. New strains of ransomware are emerging, with some cybercriminals also setting their malware to launch more quickly once inside the networks of their victim companies.
Garmin was hit in July, after a ransomware attack encrypted its internal network and some production systems. The tech company had to shut down its official website and deal with disruptions in Garmin Connect’s user data-syncing service, its aviation database services, and even some production lines in Asia. The attackers reportedly demanded a US$10 million ransom in order to restore access.
As trusted partners, we have a responsibility to advise our business customers and to keep them cyber safe. Here’s a summary of what happened to Garmin, that you can share with customers as a case study, when assisting them with incidence response planning and helping them enhance their cyber-readiness.
Here’s how it all began:
- On July 23rd, Garmin India first publicly announced that a disruption had occurred within the company, and tweeted about some servers being shut down due to planned maintenance that would limit the performance of the Garmin Express, Garmin Connect mobile, and its website
- A few hours later, Garmin's main Twitter and Facebook accounts shared the same outage message about the incident impacting Garmin Connect services, including its mobile app and website, adding that its call centers were also down due to the outage
- BleepingComputer reported that while Garmin didn't mention it in their outage alert, multiple flyGarmin services used by aircraft pilots were also down, including the flyGarmin website and mobile app, Connext Services (weather and position reports) and Garmin Pilot Apps.
- While Garmin refused to confirm whether these disruptions were triggered by a cyber-attack, third parties (like ZDNet & BleepingComputer) started reporting that the company had been allegedly hit by a WastedLocker ransomware attack.
- Whistleblowers from within the company revealed that the attack started in Taiwan, and BleepingComputer was told by one of its sources that the attackers were demanding a $10 million ransom. It was believed that this ransomware was linked to Evil Corp, a Russian-based cybercriminal group active since at least 2007.
- On Sunday morning, July 26, Garmin Fenix smartwatches couldn't offer distance and GPS tracking on runs. On a FAQ page dedicated to sharing more information about the ongoing outage, Garmin stated on the same day that it was working to restore systems and that no user data was impacted. Customers, however, took to social media to voice their displeasure at the way Garmin was responding to this attack, calling it “weak”:
- On Monday, July 27, Garmin began restoring services to Garmin Connect. Some functionality was limited, but the basics were working. The company also finally confirmed it had been the victim of a cyber-attack. It stated it still had “no indication that any customer data, including payment information from Garmin Pay™, was accessed, lost or stolen.”
- As of Tuesday, July 28th the Garmin site was back up and activities were syncing again.
- That same day, Sky News reported that the company had obtained the decryption key to recover its computer files, adding that “sources with knowledge of the Garmin incident who spoke to Sky News on the condition of anonymity said that the company… did not directly make a payment to the hackers.”
- On 3rd August, Sky News had more information regarding what had happened, stating Garmin had “paid a multi-million dollar ransom to criminals who encrypted its computer files through a ransomware negotiation business called Arete IR.” It added that “neither Garmin nor Arete IR disputed that the payment was made when offered the opportunity to do so”.
I shudder to think of what Garmin and the people at the centre of it all went through during this time. Being in the cybersecurity industry for almost 20 years and having personally gone through a vicious cyber-attack in my previous company, my heart goes out to them. The consequences of a disrupting attack such as this are, to put it mildly, grave. Companies can expect massive financial losses and a hit to their reputation (the rapidly trending posts on social media by frustrated Garmin customers was proof). But on top of all this, Garmin had a difficult decision to make.
The critical dilemma
On one hand, there were the risks of paying the ransom. The general rule is, as advocated by the FBI last year, not to pay. Paying up doesn't guarantee restored access to data and “due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key.”
In addition, the FBI states that "paying ransoms emboldens criminals to target other organisations and provides an alluring and lucrative enterprise to other criminals". Paying a ransom could therefore trigger questions as to whether it constitutes funding criminal groups, terrorism, rogue states, and/or violating anti-money laundering (AML) laws. Doing so may also perpetuate further ransomware attacks and increase the likelihood of your organisation becoming a target again, as cybercriminals could realise you are open and willing to pay a ransom.
To make matters worse, Evil Corp. was sanctioned by the U.S. Treasury Department last December, so paying a ransom to this group could result in hefty fines from the government. A payment through a third party which Garmin allegedly did, could also be subject to Treasury sanctions, that state “foreign persons may be subject to secondary sanctions for knowingly facilitating a significant transaction or transactions with these designated persons.”
On the other hand, there were frustrated customers from all over the world, diminishing the companies brand reputation, revenue and loss of valuable data. From July 23rd to 27th, Garmin users worldwide weren’t able to use its products, or access its website for more information, support centres were out of commission, manufacturing was brought to a halt, and flyGarmin services used by pilots were also down. The longer the disruptions dragged on, the bigger the tangible and non-tangible losses accrued by the company.
Image Source: ZDNet
Container shipping company A.P. Moller-Maersk suffered a malware attack in 2017 that cost the company $300 million in lost revenue. Similarly, FedEx estimated a $300 million loss after it was hit by the NotPetya cyber-attack. If that’s an indication of how much Garmin could lose, the $10 million ransom probably paled in comparison. There was also the possibility of loss of personal data and the effect on critical infrastructure (like aviation software), that could potentially be of interest to state actors.
Besides the claims made by Sky News, it’s unclear whether Garmin ended up paying the ransom. What is clear though, is that the temptation to pay the ransom amount is real for those businesses who may be crippled by an ongoing attack, losing significant amounts of money, causing inconvenience to customers and suffering from a reputational hit. And many businesses are, rightly or wrongly, giving in to this temptation.
51% of Australian IT and business executives stated in a survey conducted by Telstra last year that they had paid ransomware attackers to regain access to encrypted files. In addition, 79% of Australian respondents said they would pay the ransom again if there were no backup files. The percentage was similar in other regions.
It’s easy as onlookers and commentators to pass judgement on whether these companies, Garmin included, did the right thing. While their hand may be forced, they may not be valid judgements, and can often vary based on the specific nature of the company, the type of attack, and the risks involved. These are variables that change in every case. That’s perhaps why even the FBI, while strongly advocating victims of ransomware should not pay their attackers, says in the same advisory that it “understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”
Let’s turn this threat into an opportunity
The recent attack on Garmin is a good case study on the critical pressures & risks businesses face in the aftermath of a ransomware attack, and one we can explore during conversations with customers about cyber risks and incident response planning.
A multi-layered approach is fundamental to ensure our customers’ cybersecurity is up to scratch. We know that nine out of 10 businesses are being impacted by phishing, even when most have an email security solution in place. No one vendor can stop all threats, so it’s crucial to remind customers that if they are using Microsoft 365 or G Suite, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a cloud email security solution like MailGuard to complement Microsoft 365.
Garmin's experience is an opportunity to remind customers that these risks are all-too real, to ask important questions and stimulate a discussion, so they are prepared to protect their businesses against evolving cyber-threats.
Stay safe, everyone.
Talk to us
MailGuard's partner blog is a forum to share information and we want it to be a dialogue. Reach out to us and tell us how we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993