07/24/20 Update below. This article was originally published on July 23rd, 2020. It has been updated to reflect that BleepingComputer now has confirmation from a source familiar with the ongoing investigation that the WastedLocker ransomware hit Garmin’s network. We later updated the story with further information from a Garmin employee.
Wearable device maker Garmin shut down some of its connected services and call centers on Thursday following what the company called a worldwide outage, now confirmed to be caused by a WastedLocker ransomware attack.
Garmin’s product line includes GPS navigation and wearable technology for the automotive, marine, aviation, marine, fitness, and outdoor markets.
“We are currently experiencing an outage that affects Garmin.com and Garmin Connect,” an outage update notification published on the company’s newsroom says.
“This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience.”
While Garmin didn’t mention it in their outage alert, multiple flyGarmin services used by aircraft pilots are also down, including the flyGarmin website and mobile app, Connext Services (weather, CMC, and position reports) and Garmin Pilot Apps (Flight plan filing unless connected to FltPlan, account syncing, and database concierge).
inReach satellite tech (Service Activation and Billing) and Garmin Explore (Explore site and Explore app sign) used for location sharing, GPS navigation, logistics, and tracking through the Iridium satellite network are also down.
The company’s Indian branch first tweeted about some servers being shut down due to planned maintenance nine hours ago that would limit the performance of the Garmin Express, Garmin Connect mobile, and website.
Four hours later, Garmin’s main Twitter and Facebook accounts shared the same outage message (1, 2) about the incident impacting Garmin Connect services, including the mobile app and the website, with its call centers also being down due to the outage.
This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience. (2/2)
— Garmin (@Garmin) July 23, 2020
Confirmed WastedLocker ransomware attack
A source close to the Garmin incident response and a Garmin employee confirmed to BleepingComputer that the WastedLocker ransomware attacked Garmin.
A Garmin employee told BleepingComputer that they first learned of the attack when they arrived at their office on Thursday morning.
BleepingComputer was told that the Garmin IT department had tried to remotely shut down all computers on the network as devices were being encrypted, including home computers connected via VPN.
After being unable to do so, employees were told to shut down any computer on the network that they had access to.
In a photo of a Garmin computer with encrypted files shared with BleepingComputer, you can see that the .garminwasted extension was appended to the file’s name, and ransom notes were also created for each file.
As part of this company-wide shutdown, the employee told us that Garmin did a hard shutdown of all devices hosted in a data center as well to prevent them from possibly being encrypted.
This company-wide shutdown is what caused the global outage for Garmin Connect and other connected services.
iThome also published a report on a Garmin internal memo earlier about a ‘virus’ attack affecting the company’s internal IT servers and databases that caused Garmin Taiwan factories to shut down production lines for two days (on July 24 and 25th).
If you work at Garmin or know someone working there with first-hand information on this incident, you can confidentially contact us on Signal at +16469613731.
After further research, BleepingComputer found the same WastedLocker ransomware sample used in the attack on Garmin.
As WastedLocker samples are customized for each target, having access to the sample lets us generate the same ransom note and encrypted files as seen during the attack.
As you can see below, files encrypted with this WastedLocker sample append the same .garminwasted extension and create the same garminwasted_info ransom note as shown in the photo sent to BleepingComputer by the Garmin employee.
Furthermore, the ransom notes generated by the sample are addressed to ‘GARMIN’, as shown below.
Reports state that the attack started in Taiwan, which coincides with the location of one of the users who uploaded the sample to VirusTotal.
BleepingComputer was told by one of the sources that the attackers are demanding a $10 million ransom.
BleepingComputer has not been able to verify this amount independently.
Evil Corp’s WastedLocker ransomware
Evil Corp (aka the Dridex gang) is a Russian-based cybercriminal group active since at least 2007 known to be the ones behind Dridex malware and for using ransomware as part of their attacks including Locky ransomware and their own ransomware strain known as BitPaymer.
The U.S. Treasury Department sanctioned evil Corp gang in December 2019 after being charged for using Dridex to cause more than $100 million in financial damages.
Due to this, it is a tricky situation for Garmin if they want to pay the ransom as they would potentially be violating United States sanctions.
Since then, the hacking group has refreshed their tactics once more and are now again involved in the ransomware “business,” deploying their new WastedLocker ransomware in targeted corporate attacks and asking for ransoms of millions of dollars.
Evil Corp operators also used WastedLocker ransomware to encrypt systems on Garmin’s network, which has led to a significant worldwide outage of multiple services and products, including Garmin Connect, Garmin Explore, Garmin inReach, and flyGarmin.
Last month, Evil Corp was blocked from deploying WastedLocker ransomware as part of dozens of attacks against major U.S. corporations, including multiple Fortune 500 companies.
BleepingComputer has contacted Garmin for more information on this incident, but the mail bounced back as the mail servers are shut down.