Three Lessons From the Garmin Ransomware

Published on 20th August 2020 Author: Rob Black

Maybe you were wondering a couple of weeks ago, why your super-fit, never-misses-a-day-of-exercise neighbor had suddenly stopped leaving the house for his morning run.

Had he finally decided to join the rest of us in late-night Netflix binging and unchecked consumption of Ben and Jerry’s Chubby-Hubby ice cream?

Sadly, no.

He stopped running, temporarily, because Garmin — the folks who make some of the most popular fitness-tracking apps and wearables — suffered a cyberattack that took down their business for several days. As your neighbor no doubt concluded, what’s the point of running 10 miles before breakfast if you can’t log it into your workout profile?

I wouldn’t know, but I do know this: Garmin got hit with a ransomware attack. And it was a lot more than just exercise-related. Garmin is deeply involved in all sorts of aviation and marine tracking devices and capabilities. Much of it was shut down.

It wasn’t until the company (allegedly) paid several million dollars in ransom that its systems returned to normal operations.

Ransomware’s Impact

In Garmin’s case, the attacker got control of both corporate infrastructure (e.g., call center and customer communication capabilities) and product infrastructure (e.g., Garmin Connect and FlyGarmin). Among us cybersecurity experts, this is what is known as “bad.” (It’s a technical term, so try to keep up.)

In addition to shutdowns, some strains of ransomware will also release confidential, personal, or embarrassing information, such as recently happened to Lady Gaga when her law firm refused to pay an attacker.

The silver lining for Garmin, at least, is that as a multi-billion-dollar company, paying millions in ransomware is an option. If you are not one of these, your choices could be bleaker, perhaps existentially so.

Should We Pay the Ransom?

Maybe. It is a risk management decision.

Can you easily restore systems if you don’t pay? How much equipment will you need to acquire and set up? Do you have backups of all key data? How long will it take? Will the time required undermine your credibility with your customers? Will confidential information be released that could be damaging?

These and similar questions need to be considered.

As for whether the bad guys will unlock your infrastructure once paid, here as well, the answer is a definitive “maybe.” Fortunately, most of them are in business to make money, not disrupt your operations. Like any hostage-taker, they are well aware that the gambit only works over the long term if paying ransom leads to release.

You Need to Plan Ahead

Garmin’s experience is a not so subtle reminder that every company needs an Incident Response (IR) Plan. Absent an IR Plan — a preconceived blueprint for how you will respond to various crisis scenarios — you’ll be forced to make business-critical decisions in the midst of an emergency, leading, inevitably, to mistakes.

For example, while you may have cyber insurance, your coverage may require that your insurance company be notified within X hours following an attack (the sooner they get involved, the more capable they are of minimizing the loss). Or, maybe your attorney would want you to avoid saying certain things to customers following a data breach.

Whatever the specifics, it’s much better to plan, ahead of time, things such as roles and responsibilities, key processes, insurance requirements, customer communications, legal implications and more. “Surviving” an incident is about much more than just getting your files back.

An Ounce of Prevention

As with most potential calamities involving data and/or displeased spouses, the best way to deal with a crisis is to never have it happen at all.

For cybersecurity, that first requires taking care of the obvious weaknesses, many of which we’ve discussed here before, including training employees, turning on multi-factor authentication and keeping operating systems and applications up to date.

A critical element to keep in mind as well is the extent to which employees have “privileged access.” Ransomware’s ability to infiltrate a company’s production infrastructure (as happened with Garmin) requires either a key or access to someone with a key. Limiting, reviewing and monitoring the behavior of your high-privileged users can make all the difference.

Garmin Ransomware Conclusion

Few individual events are capable of causing more company-wide damage than a ransomware attack. A single breach can result in a significant loss of time, money, data, customers and reputation.

Do yourself a favor and take steps now to protect your company from this type of incident. While you’re at it, maybe cut back a little on the Ben and Jerry’s, too.

P.S. For a flashback to happier days at Garmin, check out their fun holiday commercial from a little over a decade ago, here.

To receive more great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).