Ransomwarecritical

Garmin WastedLocker: Pilots Lose Navigation, Runners Lose Data for 5 Days

Garmin paid an estimated $10 million ransom after WastedLocker encrypted its internal systems, taking down Garmin Connect, Flygarmin (used by pilots for aviation navigation), and all customer services for 5 days.

Garmin / Evil Corp·2020·2 min read

Background

Garmin manufactures GPS navigation devices and operates Garmin Connect, a cloud service used by millions of fitness and aviation customers. Flygarmin is used by pilots to download aviation charts and navigation data — a safety-critical application. Garmin was targeted in July 2020 by the same Evil Corp group responsible for the Travelex attack.

The Attack

WastedLocker ransomware was deployed across Garmin's internal network, encrypting production systems, databases, and services. Garmin Connect went offline. Flygarmin, which allows pilots to load current aviation charts, became unavailable — the FAA requires current charts for navigation. Garmin's call centres and customer support email were also taken down. The company initially told employees and customers only that there was an "outage" without disclosing the ransomware.

Response

Garmin received a decryption tool on July 27, 2020, five days after the attack. Multiple sources reported Garmin paid $10 million through Arete IR, a ransomware negotiation firm. Paying Evil Corp was legally complex given their OFAC sanctions status. Garmin said it had no indication it paid a sanctioned entity.

Outcome

Garmin restored services by July 27. The aviation safety implications of Flygarmin going offline for five days were significant. The $10 million ransom payment, routed through an intermediary, highlighted the legal grey area of ransomware payments to sanctioned groups. US pilot associations issued emergency guidance on manual chart alternatives.

Key Takeaways

  1. Safety-critical services (aviation navigation, medical devices) require air-gapped redundant systems not dependent on corporate IT
  2. Ransomware payments to OFAC-sanctioned groups create legal liability — consult counsel before negotiating
  3. Public communications during a ransomware incident must be honest — calling an encrypted network a generic "outage" damages trust
  4. Fitness and consumer data services face existential business risk from even short outages
WastedLockerEvil CorpaviationGPSOFAC sanctions

More in Ransomware

2017critical

WannaCry Global Ransomware Attack

2 min readRansomware
2019critical

Norsk Hydro: Ransomware Shuts Down Aluminium Plants Across 3 Continents

2 min readRansomware
2016high

Hollywood Presbyterian: Hospital Pays $17,000 to Get Patient Records Back

2 min readRansomware