People first started noticing something was wrong with Garmin midway through last week when they weren’t able to use the company’s GPS-enabled devices to upload workout data. Then reports started rolling in that several of Garmin’s other GPS devices and services, including its flight planning programs and customer support tools, were offline as well. On Monday, Garmin confirmed what had by then become clear to many of its customers: It had been the victim of a cyberattack that had encrypted some of its computer systems and rendered many of the company’s services unusable for several days. A week after the attack first hit, Garmin said most of its systems had been restored.
In many ways, the ransomware attack that hit Garmin last week was the same old story that we’ve seen over and over and over again the past few years: A malicious program encrypts the servers of a big organization and effectively shuts down all operations for a period of several days, or in some cases even longer. Compared with ransomware attacks that have hit entire cities or health care systems, it may not have seemed like the most damaging or dangerous attack, though the consequences of the Garmin shutdown were actually pretty far-reaching. Sure, people who relied on popular Garmin watches to track runs and other workouts couldn’t upload their exercise data, but as Lily Hay Newman pointed out in Wired, the outages also affected airplanes that relied on flyGarmin technology and the Garmin Pilot app for flight planning and scheduling purposes.
But what really made the Garmin attack interesting wasn’t the size or scale of its impacts—it was the test it posed to the U.S. government’s ongoing attempts to crack down on Russian cybercrime organizations. According to TechCrunch, the ransomware that infected Garmin’s systems appeared to be a program called WastedLocker, which is distributed by the Russian cybercrime group known as Evil Corp, run by Maksim Yakubets. In late 2019, the U.S. Treasury’s Office of Foreign Assets Control took action against Evil Corp and Yakubets, announcing sanctions that prohibited U.S. individuals and firms from engaging in any transactions with them (as well as several of their associates).
At the same time, the Justice Department also released indictments of Yakubets and his co-conspirator Igor Turashev, offering a reward of up to $5 million for information leading to Yakubets’ arrest. The indictment, and even the proffered reward money, was reminiscent of earlier attempts the U.S. government had made to crack down on cybercrime by issuing indictments of foreign hackers, including other Russian ransomware operators, and offering large rewards. Those earlier efforts had yielded few results, so it was a little difficult to know how symbolic the Evil Corp sanctions and the accompanying indictments were, or whether they would have any significant impact on Yakubets’ operation.
The Garmin ransomware attack was one of the first high-profile, public tests of those sanctions. After identifying the ransomware in their systems as WastedLocker, Garmin, a U.S.-based multinational company, had to know that paying the demanded $10 million ransom—or even any smaller sum that they were able to negotiate with Evil Corp—would be a violation of the Treasury Department sanctions against the Russian criminals.
So, how well did those sanctions work? Clearly, Garmin didn’t immediately give in to the attackers’ demands, since their outages lasted several days. On Tuesday morning, Sky News reported that the company had obtained the decryption key it needed to its systems but quoted sources as saying that Garmin “did not directly make a payment to the hackers.”
There are a lot of possible ways to read that statement, but the word that most immediately jumps out is “directly.” It’s possible that Garmin was able to procure the decryption key without caving to the ransom demands, but if Garmin did not make any payment to the hackers whatsoever, it could have just said that. Instead, the Sky News sources seemed to imply that a third party might have made some payment on Garmin’s behalf—possibly an insurer, if Garmin held any coverage for online extortion, or one of the security firms that specializes in negotiating and paying ransomware demands on behalf of victims. Understandably, if it did authorize any sort of payment, Garmin is not likely to clear up any of the details of how it happened.
It’s a depressing outcome that hints at how useless, perhaps apart from the symbolism, economic sanctions may be for trying to tackle international cybercrime. At the time that they were announced, it seemed just possible that by adding sanctions to the U.S. government’s typical strategy of naming and shaming foreign hackers through publicly released indictments might have some greater impact. After all, if those sanctions really did stop people from making ransom payments to Evil Corp, then Yakubets and his co-conspirators might not bring in enough money to let them continue to purchase expensive sports cars. (Yakubets famously owns an objectively incredibly ugly custom Lamborghini painted in a bizarre gray, yellow, and green camouflage pattern with a license plate featuring the Russian word for “thief.”) In other words, making ransomware a little less profitable might help drive people out of the business and drive down future attacks.
I’ve advocated in the past that organizations should not pay ransoms, and even pushed for policymakers to consider making it illegal—or at least more difficult—for ransomware victims to do so, in the name of making online extortion less profitable. But if the Treasury’s Evil Corp sanctions failed to dissuade even a very prominent, major U.S. company from making a ransom payment, it’s hard to see what good they will conceivably do.
Ideally, the Treasury Department would now investigate what happened with Garmin and penalize the company if, in fact, it did authorize any ransom payment thereby giving their sanctions some teeth. But the government may be understandably wary of appearing to bully a company that has already suffered considerable losses. If, however, Garmin faces no investigation into what happened then the government will be sending a clear signal to all other cybercrime victims that its sanctions were never more than a symbolic gesture—and that they’re free to contribute to the cost of Yakubets’ next luxury car or pet tiger.