Garmin reportedly paid millions to resolve its recent ransomware attack

Security Now


Garment Hack. Lawrence Abrams bleeping computer as we know, as always had a strong interest in ransomware. So I'm not surprised that his coverage of the Garmin ransomware attack was the most detailed of any I've seen nor that he's had access to some. Insiders who have reached out to provide him some extra tasty bits. Among. Other things an employee inside Garmon informed him that the initial ransom demand was for ten million dollars. Oh. Yeah. Holy Moly. Dead. Dead million dollars. Okay. We don't know what ransom was finally paid. But it seems more certain than ever. That Garmon did pay up Lawrence wrote. After a four day outage, Garmon suddenly announced that they were starting to restore services and it made us suspect that they paid the ransom to receive a decrypt her. then. Last Saturday. Lawrence posted today bleeping computer gained access to an execute, -able created by the garment it department to Decrypt a workstation and then install a variety of security software on the machine. Since wasted locker. That's the ransomware is an enterprise targeting ransomware with no known weaknesses in their encryption algorithm. Decrypt, her cannot be made for free. And remember that bleeping computer has has been sort of a focal point four. The less than well designed ransom. Where mistakes were found in the encryption which allowed for the creation of a no charge, dijk crypt door and those have been organized and are are and can be found through bleeping computer. So he said to obtain a working decryption key Garmon must have paid the ransom to the attackers and he said this is where he said is not known how much was paid, but as previously stated, an employee told bleeping computer that the original ransom demand was for ten million dollars. When extracted this restoration package? This is the one that they that they received. A copy of that had been prepared by garments it department. This. Restoration package includes various security software installers, a decryption key, a wasted locker decrypt door, and a script to run them all. When executed the restoration package, decrypt the computer and then preps the machine with security software. Garments stripped contains a time stamp of July Twenty Fifth Twenty Twenty, which indicates that the ransom was paid either on the twenty fourth or twenty fifth. Using the sample of wasted locker from the garment attack, that is the actual. The actual ransomware from the garment attack bleeping computer encrypted did a virtual machine. And tested the decrypt her to see if it would decrypt their files. He said in our test, the decrypt. Decrypt files. So Interesting was that the package received by bleeping computer included references to both the cyber security firm Ms Soft E.. M.. S., I S O. F T. R. M, m cysts, soft sorry. Emphasis soft, and the ransomware negotiations service cove wear. When bleeping computer subsequently reached out to cove where they were told that they do not comment on any ransomware incidents reported in the media. And similarly emphasise soft toll bleeping computer that they could not comment on any cases that they create decryption tools and are not involved in ransom payments. Brett callow a threat analyst at. Mc Soft said, I cannot comment on specific cases, but generally speaking emphasis soft has no involvement whatsoever in negotiating or transacting ransom payments. We simply create decryption tools. Okay. Now, that's interesting news. So it might seem odd for a reputable security firms such as m soft to to have anything to do with ransomware, but they have an interesting angle. As we know, the decryption side of the ransomware mess sometimes receives much less attention from the bad guys who need to create the decrypt her Dan, the encryption side. Consequently. The decrypt have tended historically to be buggy to crash or to for some reason, fail to fully undo the damage that they had originally done despite. Having, received a valid key. So that's where M soft comes in. They reverse engineer questionable ransomware decrypt. There's for which the decryption key is known. To create a more robust and reliable decrypt her for a victims systems. Emphasis soft ransomware recovery services, page states if the ransomware. If the ransom has been paid, but the attacker provided decrypt is slow or faulty. We can extract the decryption code and create a custom built solution that decrypt up to fifty percent faster with less risk of data damage or loss. So. This also explains why the decryption package garment finally used also contained legitimate security software. That extra security software along with improved decrypt, her may have been provided by emphasis soft or may have been. Put together by garments it. And of course, as we mentioned last week, now that evil corporate has been attributed as the creator of wasted locker and has been placed on the US sanctions list for using dry decks to cause more than one hundred, million dollars in financial damages. Paying this ransom could lead to hefty fines from the government. So do these sanctions sources familiar with cove where have told bleeping computer that the negotiation company has placed wasted locker on their own restricted list starting in early July and will not be handed handling negotiations for related attacks.

Coming up next