Part One – What can we learn from the fact that Garmin was targeted?
Ransomware attacks are on the rise in 2020 and ransomware continues to evolve to allow cybercriminals to target bigger victims, encrypt more of their networks and as a result demand greater ransoms than ever before.
This three part series takes a look at the recent attack on the tech company Garmin, which forced a five day shutdown of services affecting millions of its customers globally, and considers what this example tells us about the possible future landscape of this nefarious cybercrime and what legal issues we might expect to see as a result.
In Part One, we look at what we know about what actually happened to Garmin, and what we can learn from the fact that it found itself as target.
In Part Two, in light of the rumour that Garmin paid its attackers USD 10,000,000 in ransom, we look at the legality of ransom payments.
In Part Three, we consider the other potential legal issues that arise for a business that finds itself victim to an attack.
What do we know about what happened?
On 23 July 2020, Garmin fell victim to a ransomware attack. The attack forced a five day shutdown of Garmin Connect (which allows users to sync data collected from Garmin’s smartwatches while exercising), as well as various aviation services and Garmin’s call centres. Garmin has been particularly tight-lipped about what went on. The company eventually acknowledged that it had been the victim of a cyber-attack that had encrypted a number of its systems, but stressed that they had no indication that any customer data had been accessed or stolen.
In fact, the company has not even officially admitted that ransomware was used. Reports however indicate that the malware involved was the relatively new WastedLocker which is associated with the Russian criminal hacking group, Evil Corp. Wastedlocker is known to masquerade as a software update which scrambles the targets data once downloaded, though Garmin hasn’t confirmed exactly how its systems were infiltrated.
While the lack of communication from Garmin to its customers has left a lot of room for speculation, it has been widely reported that the hackers demanded USD 10million, and there are further unconfirmed reports that this ransom was in fact paid via a third party. Service was gradually restored to all systems, reportedly with the help of a New Zealand company which creates custom ransomware decryptors.
What can we learn from the fact that Garmin was a target?
Until the recent past, ransomware attacks have generally been directed at smaller companies with comparatively poor security systems and without specialist staff.
There now appears to be a growing trend towards attacks carried out on a more ambitious scale. Garmin is a US multinational publically listed on the NASDAQ. It is valued at nearly USD 20 billion and boasts millions of users around the world. While they are not the first big fish to be caught (with businesses like Maersk, Merck and Travelex having also fallen victim since 2017 – to name only a few), it is clear that as attacks themselves get more sophisticated, attackers are aiming for those with the most to lose and the deepest pockets.
Larger organisations are therefore more at risk than ever as they have more targets for potential infiltration across their networks and the evolution of ransomware means that even big budget security defences may be insufficient.
As well as selecting a particular target, the Garmin attack suggests cybercriminals also carefully select the timing of their attack. Garmin was hit shortly before its quarterly earnings were announced, which seems unlikely to be a coincidence. Interestingly, despite a widely publicised attack, Garmin’s share price was barely impacted during the course of the five day shutdown. This might suggest that as attacks become increasingly frequent, they will be seen by investors as part of the cost of doing business and as one of many risks to be factored into pricing.
Unsurprisingly, as target size increases, so too does the ransom demanded. This is likely in part due to cybercriminals being fully aware that large companies are likely to have in place hefty cybersecurity policies which may allow a ransom payment to be paid by an insurer. Indeed, a recent report commissioned by the British security software firm Sophos Group plc found for those businesses that have insurance against ransomware, 94% of the time when a ransom is paid, it is covered by the insurer.
Sufficient cyber insurance protection is therefore an absolute must, no matter the size of your business. However, cybersecurity policies are complex and unwieldy – to such an extent that it can often be difficult to see exactly what cover they will provide in the event of a security incident. Risks are particularly difficult to price and the potential threats are constantly changing, meaning there is no standard basis of cover. When it comes to ransomware specifically, there is a real risk that businesses are underinsured, with Sophos’ study finding that while 84% of businesses surveyed had cybersecurity insurance in place, only 64% had sufficient protection to cover a ransomware attack.
An attack creates a pressure-cooker environment by putting in place a deadline for the payment of a ransom. In practice, businesses will have little time to seek legal advice on their cover, let alone to debate an issue with an insurer whose written consent may be required for a payment to be made. In an ideal world, this means that businesses should ensure they are familiar and satisfied with their level of cover before they fall victim to an attack, though specialist and timely legal advice is likely to be required in any event.
Next week, we discuss what can be learnt from the fact that Garmin reportedly paid the ransom demanded, and look at the legality of ransom payments.
This series is intended as a whistle-stop tour of common issues only. If further information on any of these matters would be useful, please get in contact.