Garmin was hit by ransomware on the morning of the 23rd of July, with the malware identified as the WastedLocker family operated by the threat-actor cluster Evil Corp. Garmin's customer-facing services — Garmin Connect, flyGarmin, the various Garmin Aviation services, and the customer-support infrastructure — were offline for several days, with phased restoration through the weekend and into this week (Garmin status updates, BleepingComputer reporting on the attack and recovery). The disclosure has been limited and the operational details are inferred from technical analysis and from the company's careful public statements rather than directly disclosed.
The OFAC complication. Evil Corp was sanctioned by the US Treasury's Office of Foreign Assets Control in December 2019 (OFAC press release on Evil Corp sanctions). The sanctions designation makes it potentially illegal under US law for a US-domiciled entity to make ransom payments to Evil Corp, even where the payment is, on the immediate operational measure, a rational decision against the cost of continued business disruption. The Garmin case is, on the public reporting, the first major test of the operational interaction between OFAC sanctions and ransomware-payment commercial pressure. The reporting through this week has been extensive and not entirely consistent — some sources suggest a payment was made via an intermediary structured to avoid direct OFAC violation; some sources suggest a payment was not made; the operational picture has not been definitively clarified by the company.
The reason this matters for customer briefings is that the OFAC complication is going to extend to other ransomware operators on a steadily expanding basis. The US Treasury has indicated that comparable designations against other ransomware-operator clusters are in active consideration, and the post-Garmin policy environment is going to require customer-organisation incident-response playbooks to incorporate the sanctions-question-and-OFAC-clearance process as a structural component of the ransom-decision pathway. The customer-organisation legal counsel for any ransomware case will need to assess the OFAC-attribution status of the operator cluster, the potential liability of payment, the structuring options for any payment that is made, and the timing implications of the legal review on the operational pressure of the ransom deadline. None of these are cheap operational questions and several are not solvable on the timeline that ransomware operators typically demand.
For the customer-portfolio incident-response readiness work, the Garmin case has been the trigger for two conversations. First, the OFAC-clearance process — for any UK customer organisation that might face a ransomware incident with US-sanctioned operator attribution, the operational interaction with OFAC and with US-side counsel needs to be pre-arranged rather than reactive. The customer-organisation playbook updates I am pushing this quarter include the OFAC-clearance step as a defined-procedure item with named responsible parties and pre-vetted external counsel. Second, the broader question of whether to maintain a no-pay posture as the customer-organisation policy default. The Norsk Hydro case demonstrated that the no-pay posture is operationally feasible if the recovery infrastructure is in place; the Garmin case (with whatever the actual payment posture turns out to be) illustrates the operational tension when the recovery infrastructure is less robust. The customer-organisation conversations about no-pay-policy commitments have been more substantive in the past several weeks than they were earlier in the year.
For the wider strategic context, the targeted-ransomware threat continues to escalate through the COVID-affected period. The operational shift to remote-work environments has expanded the attack surface in many customer-organisation environments. The ransomware-operator attention to the elevated targeting opportunity has been visible in the case volume. The defensive posture that I have been writing about for 18 months — segmentation, identity-and-privileged-access controls, data-egress visibility, incident-response readiness, executive-side decision-pathway clarity — continues to be the substantive answer.
I will write more as the Garmin operational picture firms up. The case will produce learning that the customer-organisation programmes need to absorb.