
Garmin obtains decryption key after ransomware attack - thinkmassive
https://news.sky.com/story/garmin-obtains-decryption-key-after-ransomware-attack-12036761
======
Alex3917
> If a payment was made through a third party it could also be covered by the
> Treasury sanctions, which warn: "Foreign persons may be subject to secondary
> sanctions for knowingly facilitating a significant transaction or
> transactions with these designated persons."

I accidentally took a phone call for a job that basically involved using
Bitcoin to launder money to send ransom payments to terrorists. They told me
that although it's technically illegal, the U.S. government has never
prosecuted anyone for paying a ransom. I noped out after the first phone call
for obvious reasons, but it was pretty interesting just to learn about the
industry.

Anyway when Garmin says they didn't pay the ransom themselves, they are
telling the truth, instead they would have used this company or one of their
competitors. You can't just open a Coinbase Pro account and buy 10 million BTC
and transfer it your first day. No bank is going to allow you to do that,
since they would then be liable for facilitating that transaction. Instead you
need to contract with a company that specializes in ransom payments and has
already accumulated the crypto in advance. Then you pay them a percentage for
their services.

~~~
CobrastanJorji
Weird. I would think that while it's not worth the government's time to go
after individual companies paying off ransoms, it would definitely be worth
their time to go after a business professionally focused on paying illegal
ransoms who tell interview candidates that they are aware that what they do is
illegal.

~~~
Alex3917
Maybe, maybe not. It's technically illegal to grow or possess any amount of
weed, but in practice you don't get prosecuted (by the feds) unless you have
over 100 plants or thousands of pounds. Until ~2004 it was illegal for native
Americans to be within Boston city limits.

There are thousands of things that are illegal, but in practice are rarely or
ever prosecuted, even in cases where people are violating those laws at pretty
significant scales.

In my case that's not a risk I'd be willing to take, but I can see why other
people would. The reason it's not prosecuted though isn't because of
companies, it's because there are lots of wealthy people who travel overseas
and then get kidnapped, and the government isn't going to prosecute their
families for paying to not have their kids dismembered and the videos posted
on YouTube. The reason companies aren't prosecuted is mainly because once you
decide not to prosecute families for doing this, then anyone else can make an
equal protection argument.

~~~
codeflo
The perspective that there are “thousands of things that are illegal” but not
prosecuted always fascinates me, that’s not at all a common perception e.g.
here in Germany. Is that a difference between common law and civil law
systems? Maybe in places where code law is mostly binding, there’s a lot more
pressure on the legislature to keep the law books up to date with the current
norms of society.

~~~
aka1234
I can only speak from my layman's understanding of US law. In the US, there's
a doctrine prosecutorial discretion. Basically the police and prosecutors can
choose whether to arrest and charge someone for a crime.

> "Maybe in places where code law is mostly binding, there’s a lot more
> pressure on the legislature to keep the law books up to date with the
> current norms of society."

In the US, where everything is so entwined with politics, there's a lot
unenforceable laws still on the books.

For example, the US Supreme Court struck down sodomy laws in 2003. Last I
checked, Texas still has a law on the books criminalizing sodomy. Sure Texas
can't enforce it, but the conservative majority in the legislature won't
actually repeal the law because politics. Similarly, when the US Supreme Court
ruled that banning same-sex marriage was unconstitutional, Texas had to
recognize same-sex marriage. But there was no law allowing same-sex couples to
divorce. So there was this weird limbo wherein you couldn't get divorced if
you were in a same-sex marriage.

America is weird.

~~~
roywiggins
There's a difference between laws that exist but are rendered moot by a court
ruling it unconstitutional, and laws that exist and are constitutional but are
just never used, and laws that exist, and are probably not constitutional, but
aren't used, so have never been challenged.

For all intents and purposes sodomy was made legal by the 2003 precedent; that
those laws are still technically in black-and-white doesn't mean they're in
force.

But there are lots of laws that are still in force but aren't actually picked
up and used much. They're still there, though. For instance, hardly anyone was
prosecuted for Espionage Act violations for decades, but nobody disputes that
the DoJ can dust that law off and start using it again, subject to the current
jurisprudence on free speech etc.

------
bt3
It's not clear to me from the article that Garmin did in fact get the
decryption key. There's enough verbiage suggesting they _didn 't_ pay the
ransom, so are we to assume they had other means?

It also took Garmin quite awhile to acknowledge the ongoing situation formally
(their outage page has been accurate with red lights across the board). Could
it be that Garmin just started to spin up more hardware and began a migration
of their last backups? (I'm so far removed from how their service operates so
apologies if this sounds impractical)

~~~
solumos
Migrating to backups seems possible. Garmin is pretty complex in that it
produces hardware and software across a few verticals, but I don't think
there's anything that makes them particularly unique in the way they'd handle
backups/failover.

I think it's also possible that Garmin proactively pulled the plug on their
public-facing services in order to mitigate the spread of the attack. It would
be _really_ bad if the attackers could make the hop from Garmin's web services
to consumer devices.

~~~
sharken
According to Symantec attackers first gain entry and then explores the
network. This process will take anything from days to weeks.

By the time the encryption begins they have explored every way possible into
critical systems.

Preventing the second stage attack is what Symantec has been successful in
preventing, this video gives an insight into how that works

[https://youtu.be/p1KJiv-RjMU](https://youtu.be/p1KJiv-RjMU)

------
SimonPStevens
This title is overly misleading. There is no evidence presented in the article
to even suggest they paid the ransom. And Garmin declined to comment.

It's possible they paid, but it's also possible they are just restoring
backups.

~~~
beloch
If they didn't pay off the hackers and are recovering on their own, it would
be in Garmin's best interests to issue a public statement explicitly saying
so. Failing to do so may make them a target for other hacker groups. Their
vulnerability is now proven and their willingness to pay strongly suggested.

~~~
SkyBelow
Even if they did pay, wouldn't it still be better to say they were restoring
from backups? Makes them look far less vulnerable to the attack and they can
likely wrap it with enough PR speak to not be technically lying. Arguably
about as morally troublesome of an act as paying for the ransom.

~~~
gruez
>Even if they did pay, wouldn't it still be better to say they were restoring
from backups?

Probably because that would be securities fraud? You'd be essentially duping
investors into thinking the company is better than it is. eg. if there was a
fire in your widget factory and the whole place got destroyed, you can't turn
around and tell investors "everything's fine, the fire suppression system
worked as intended", because you'd be lying to investors about the state of
the company.

~~~
sukilot
Investors don't get to see trade secrets. They obviously restored some backups
even if they paid random via a reputation laundering company.

------
jrockway
Has there been any discussion about the technical details of the attack? I am
having a hard time imagining how a compromise of a workstation could result in
the entire company -- their own apps, their call center -- going down for
days. I can see how malware could break production severely ("kubectl delete
deployments" from a trusted workstation). I can see how malware can wipe out
your desktop. I can see how malware could f your cloud infrastructure account.
But I'm not drawing the line to "we can't build a new release and deploy it on
another provider" or "we can't buy an emergency Dialpad account to start
taking calls from customers".

My guess is this: two separate attacks occurred. The first attack involved
compromising production, and installed a scheduled job that, at a certain
time, would delete all database backups and code repositories, deschedule all
workloads, delete all DNS records, etc. The next attack involves the fact that
all source code is on managed workstations, so they compromised the IT
management system to push malware to every machine globally at the exact same
time that would destroy all git repositories (etc.) on the workstations. The
result was that when the scheduled time occurred, production would crash and
there would be no backups. (They must have wiped all the tapes at their
offsite backup facility, too. I guess anything can be done for a price!)

To me, this sounds too complicated to even be feasible. I am still impressed
when I edit some manifest with a new version number that 90% of the time that
code eventually starts running. Being able to orchestrate a multiday outage
just seems amazing to me, and that you'd make a lot more money being a cloud
provider than a cybercriminal.

The other thought I had was that maybe they just kept thinking "we're so close
to getting it back" for three days, rather than saying "everything is lost,
revert to backups".

~~~
james412
> I am having a hard time imagining how a compromise of a workstation could
> result in the entire company -- their own apps, their call center -- going
> down for days

Can't guess at specifics, but if it's a Windows network, I would be utterly
unsurprised if all users had excess permissions to shared drives

Many Windows networks just have a giant X: everyone can write to, and it's
been like that forever, and it's so deeply baked into everyone's workflow that
it never gets fixed

~~~
stefan_
Is it common practice to have the servers running your production (not in the
manufacturing sense) cloud services _join the AD domain that has your office
staff in it_? Why? That doesn't even make any sense from a convenience PoV.

It just seems like an unfathomable level of incompetence required to go from
compromising some random Windows workstation all across the hardware that runs
your app services. And lest we forget: a ransomware attack is always also a
massive _data loss attack_. Garmin better get to work complying with the law
and notifying impacted customers (all of them?).

~~~
ryandrake
If there's one thing I've learned in the computer industry, it's that there is
no such thing as an unfathomable level of incompetence. All levels of
incompetence are not only fathomable, but repeatedly demonstrated. It's
amazing that anything works at all.

~~~
moepstar
If this wasn't so, so true, it'd be even funny :(

------
_salmon
There's nothing definitive that says they paid the ransom or obtained the
decryption key from the attackers. Rumors on Twitter say that they're
rebuilding services from backups and slowly getting things back online

~~~
solumos
I can imagine it's possible that a 1-week outage + cyber risk insurance claim
+ rebuilding from backups could net out to less than $10M.

~~~
nomdep
It doesn't matter. Unless a live is at risk, you never ever pay ransoms, or
others will try again.

~~~
blackboxlogic
Ex Garmin employee here. Some of their infrastructure supports emergency
response. Hard to know how much of what went offline, but if /that/ goes down,
people die. On-call was not fun.

~~~
obmelvin
supposedly inReach wasn't included in the down time? Wonder if due to better
infra or just highly (and rightfully so) prioritized once things went south

~~~
Scoundreller
Most of it runs over Iridium, so I wonder how much IoT is really involved vs
just being a different hardware front-end for Iridium services.

~~~
obmelvin
Ah, that would probably explain it. I was wondering if the actors wanted to
avoid touching services that could impact peoples lives, due to that
potentially leading to more motivated investigations. Possibly, but also could
just be that it is largely a hardware front-end for Iridium's service.

------
hangonhn
I wonder if going after such a well known target was a mistake since once the
news leaked out it put Garmin in a position where it would be much harder for
them to pay the ransom. I wonder if their chances of success are higher by
going after a larger number of lesser known and less valuable targets who may
not garner the attention nor have the IT staff to deal with the issue.

~~~
interestica
But then you're not going to get as high of a payout? Maybe this math works,
or maybe it's a feeler to figure out where the line is.

~~~
loa_in_
Maybe the smaller targets were already tried but didn't make the news

------
verytrivial
For the vast majority of users Garmin have ZERO liability re data retention.
They could just say WHOOPS! and zero all accounts and require everyone to
resync. And I would have respected them for that as they've now sent $10M to
these assailants to increase the sophistication of their attacks and
retain/lure/entrap more skilled developers. But then I'm a bit of a moral
absolutist.

If their financial records were all toast too I wonder what the fines would
have been ...

~~~
kochthesecond
Yeah, Id also accept all my data zeroed instead of financing hackers.

It still puzzles me greatly how this ransomware has such a huge impact. How
Does it allow hacking and encrypting the db servers?

------
exabrial
I should be able to see all of my locally recorded stuff without the cloud.

I was happy that basic functions of my Garmin Venu continued to work. But some
stuff should be cached, or stuff that hasn't been sync'd should be available
locally.

~~~
zwaps
I want to say that previous versions of Garmin connect did have the data
locally, such that you could see your runs or activities without being
connected to the Garmin services.

The present version of Garmin connect does nothing if you are not connected to
Garmin servers. E.g. you can't see your activities, your data or anything
else.

When this change occurred, I remember that it annoyed me greatly. Why not have
some local data cached on your phone? Other apps seem to manage that no
problem. If you'd have no internet access, you could at least still use the
app to see your activities and sync them later. This seems so obvious to me
that I have trouble understanding why they chose the current route.

Of course, it's still not a total disaster. Garmin devices still work and
track, you can still view the data on them, and they usually plug in as a USB
drive anywhere so you can upload the data manually.

Still, for smartwatch users, this could have been a really minor inconvenience
rather than what it is now.

------
NotSammyHagar
I'm quite surprised that people seem kind of ok with the idea of ransomware.
It's a horrible, criminal corrupt practice and it's destructive to pay or
participate in anything to do with this.

~~~
bitxbitxbitcoin
I think the kind of ok feel is from the "they should have had backups, that'll
teach 'em" crowd.

------
rodgerd
I am a lot more interested in the answers to questions like:

1\. Why was there lateral spread across low-criticality devices fitness
devices and avionics devices?

2\. Why was there lateral spread across manufacturing, customer support, and
PII regions?

3\. What assurances are there that health information wasn't leaked?

4\. What's the general security position around avionics, marine, and health
data at Garmin?

~~~
Spooky23
Segmentation is expensive and slows stuff down. Businesses are bad at
segmenting risk.

I'd expect the avionics and marine stuff to be a little better due to
compliance requirements.

~~~
dylan604
I don't know. It seems like whenever a company needs to have data shared, it
by default is siloed. Yet when a company needs siloed/segmented verticals,
they are shared with no boundaries. You rarely hear about companies that have
done it correctly, yet everyone has worked for a company that does it badly.

------
interestica
> Smartwatch maker Garmin has obtained the decryption key to recover its
> computer files from a ransomware attack last Thursday, Sky News has learned.

Is this really the aspect of their business that they're most known for now? I
still think of them as a GPS/Geolocation device company.

~~~
usrusr
It's their absolute boom segment right now, dwarfing the revenue of all
others. Somehow the Apple watch made a lot of people who'd rather wear a
Garmin suddenly think that it's perfectly fine to wear an absurdly expensive
GPS watch. Garmin has succeeded in establishing a price range where the Apple
offering would barely make the upper third.

~~~
glenngillen
I feel seen by this comment! TBF, I already had a Garmin GPS watch that I
bought circa 2006 (one of their first I believe) for tracking my runs. When it
came time to upgrade I compared it to the Apple watch. And you're right. I
definitely decided I'd much rather spend that much money on something with a
12yr upgrade cycle vs the 2-4 year cycle on many of my Apple devices.

What I've found most surprising is I have young children, and having a Garmin
activity tracker watch (seems to be not much more than a step counter) has
become _the_ thing every 6yo is expected to have these days. We've avoided it
so far, but from speaking to parents with children at neighboring schools
they're nearly ubiquitous in the youngest year levels now.

------
concerto
I was confused by the use of "sanctioned" in the byline. They meant it mean
"had sanctions imposed", but I understood it as "given permission" which set
the article in a completely different tone. What an odd word.

~~~
bobbylarrybobby
More fun examples here:

[https://en.wikipedia.org/wiki/Auto-
antonym?wprov=sfti1](https://en.wikipedia.org/wiki/Auto-antonym?wprov=sfti1)

------
JohnTClark
Does US or other western country ever retaliate? It seams to me that Russia
and China keep attacking as and we do nothing. Was vkontakte ever taken down?
What would happen if an US hacker group "independent" of NSA would attack a
Russian company?

------
ideals
A few people have commented on the logistics of paying a large Bitcoin ransom
which can entail hiring a 3rd party to pay it.

Could an independent party buy the decryption keys from the ransomware party
for their asking price then attempt to resell this to Garmin (or other party)
for more money?

Of course it's a bit game theory because you're depending on the target to pay
and the ransomware attacker to not relinquish and resell the key to anyone
else including the target.

Ignore the legality of it all else it's not very interesting to think about.

~~~
usrusr
More likely scenario: the attackers demand 10 mil knowing that 10 would be an
unlikely best case scenario and a more likely outcome would be something like
2 mil, passed on on exchange for the keys by a cooperating fake computer
forensics firm that claims to be able to restore the data without paying the
attackers. For only 3 mil, an absolute bargain. The victim would pay the 3
mil, either falling for the show or _claiming_ to be falling for the show.

