
Garmin received decryptor for WastedLocker ransomware - nl5887
https://www.bleepingcomputer.com/news/security/confirmed-garmin-received-decryptor-for-wastedlocker-ransomware/
======
NotSammyHagar
I'm still hopeful that Garmin is prosecuted for paying the random. The us is
actually sanctioning evil Corp. [https://slate.com/technology/2020/07/garmin-
cyberattack-rans...](https://slate.com/technology/2020/07/garmin-cyberattack-
ransomware-payment.html)

I even have a Garmin device affected by this. I still want ransomware stopped.

~~~
sharken
Ransomware that is a result of users clicking on update notices they should
not click is very hard to protect against. Even Stuxnet was successful in
crossing over to a separate network through the use of USB sticks. Source:
[https://en.m.wikipedia.org/wiki/Stuxnet](https://en.m.wikipedia.org/wiki/Stuxnet)

I get the sentiment that Garmin should suffer due to paying the ransom, but I
bet a lot of american companies would act the same way if it was their company
on the line.

At least this incident should serve as a warning to other companies that
Ransomware is very real and there has to be a plan for recovery without paying
the ransom.

~~~
NotSammyHagar
Those companies should have backups. If this was say a mafia type org that was
going to kill people if they didn't pay up, it would be clearly wrong. If
someone said they'd cut your internet links if you don't pay, it might be more
obvious this extortion payment is wrong. And this can be defeated by having
backups.

------
Simulacra
Since GARMIN is a publicly traded company, couldn’t an investor demand to know
if the money was paid, and if they don’t get an answer, they could go to the
SEC? Could they sue?

~~~
wjnc
Interesting question. The dynamics surrounding which questions get proper
answers in shareholder meetings is always interesting to me. There is no right
way and bullshitting certain questions is an art. On grounds of material
impact this question is hard to skip an answer to. Perhaps the payoff wasn't
that material in the end, but the hack was. So even a small fry shareholder
could ask this in the shareholder meeting and expect an answer. Skipping to
answer good questions often leads to more in the future, so that's the balance
the CEO and investor relations face. One could always reach out to analysts to
try and get some critical mass going.

~~~
mytailorisrich
I would think that it will be duly included in the company's financial
statements, so that the material impact of this _overall_ is duly reported.
But obviously there will be no reference to any ransom.

I would also suspect that they never paid any ransom. They probably only paid
consulting fees to security/ransomware experts (wink wink).

------
mint2
I’m curious if the average company even bothers planning/testing their ability
to recover from a ransom ware attack wo paying.

Like do they even bother planning for that or are they unaware of the risk or
did they decide it’s more cost effective to purely rely on prevention and plan
to pay any ransom.

I feel like there should be a regulation, where if they pay the ransom then
they get a penalty of 2-5x the ransom charged.

------
akmarinov
I bet they’ll start investing in backup solutions right about now.

~~~
hibbelig
I recall a story here on HN, some days ago. A company was attacked, then the
attackers waited some months to make sure that all backups had been
contaminated, then they struck.

So victims can only make sure that they have a malware checker that finds the
culprit, then do fresh installs, then check each file before it's restored
from backup. Sounds like a crazy amount of work.

~~~
andreareina
Immutable append-only backups would protect against this, right? Nuke the OS
to make sure you're running on good software, then pull in data that's as good
as it was when it was backed up.

~~~
danielheath
Only to the degree that attackers can't figure out a way around them (given
months of planning with access to internal systems & documentation).

For instance: I have backups going to an append-only s3 bucket in a separate
AWS account, but I don't have monitoring in place to ensure that bucket hasn't
been wiped. An email would get generated, but it'd go to the root account
holder, who may not notice in time.

~~~
andreskytt
Kinda makes me wish for the good old days when you could just store a pile of
tape

~~~
nix23
Good old Days? There is a reason Financial Institutes still uses WORM tapes,
and they are great!

------
14
To me the fascinating part is that with the ransom payment they received the
decrypt key as well as the security system patches needed to protect the
system. However I would be very nervous that the hacker didn’t leave something
behind but perhaps they would rather a good reputation and not risk losing
payment for the next attack.

~~~
mpnordland
Given the references the author found to apparently reputable ransomware
recovery firms, my reading is that the decryptor was built by one of those
companies using the key provided by the intruder.

------
mkj
Is Evil Corp their actual name, or just what the US law enforcement called
them? [https://home.treasury.gov/news/press-
releases/sm845](https://home.treasury.gov/news/press-releases/sm845)

~~~
peterlk
It looks like that's just the name of a group - like anonymous, lulzsec,
equation, shadow brokers, etc.

It's likely a nod to Mr. Robot, where the company that the hackers are
infiltrating is called Evil Corp.

~~~
Crosseye_Jack
Its E Corp, Elliot call's them Evil Corp (He says in episode 1 iirc, that he
basically replaced E Corp with Evil Corp in his own internal dialogue)

------
Stierlitz
This would never have happened, if only they used a proper Operating System
from a respectable software company.

~~~
Crosseye_Jack
Name that tune!

