Garmin’s services, websites and customer service have all been down since Wednesday night.
Garmin, maker of fitness trackers, smartwatches and GPS-related products, has reportedly suffered a widespread ransomware attack — though the facts around the cause remain unconfirmed for now.
The manufacturer tweeted on Thursday that its Garmin Connect service is down; Garmin is a free app for tracking, analyzing and sharing health and fitness activities from a Garmin device.
“We are currently experiencing an outage that affects Garmin Connect, and as a result, the Garmin Connect website and mobile app are down at this time,” it acknowledged.
But, it also added, “This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience.”
Meanwhile, a local media outlet in Taiwan, where Garmin is based, reported that the outage will soon extend to production lines too: “The production line will be suspended for two days [July 24 and 25]. At the same time, the official website also announced that the company, including the customer service system, map software updates, and application updates, has suspended related services due to system maintenance.”
The tweets and reporting confirm what users have been reporting since the service went down Wednesday night Eastern Time. As the outage has dragged on, users have become aware how much their personal devices interact with the electronics giant’s infrastructure.
“It’s made me realise [sic] how crazy-reliant my Garmin watch is on their infrastructure,” said a poster on a Hacker News forum. “I went onto the app this morning to try and alter a watch face I already have downloaded, which should totally be configurable through just the mobile app alone. Why the hell does it need to talk to Garmin’s servers to let me do this? It should just be possible through the app alone, without needing any involvement from Garmin’s servers.”
Another pointed out the potential danger to personal data: “I am concerned a little for the location of my home now being in the hands of the wrong people.”
The situation has caused widespread speculation that the sheer reach of the outage into Garmin’s infrastructure indicates a ransomware attack; and one outlet said that Garmin employees have confirmed that the WastedLocker ransomware is to blame. That has not been independently confirmed, however.
“Wow! This is a doozy,” Saryu Nayyar, CEO at Gurucul, said in an email. “A likely ransomware attack taking down pretty much everything Garmin – website, call center, email, chat, production systems and data-syncing service. You just don’t know when the bad guys are going to attack and who will be their next victim. However, what we do know is every organization is susceptible to ransomware attacks.”
She added, “Hopefully, Garmin has a daily backup regimen for the company’s systems and data – that’s table stakes.”
WastedLocker first appeared on the scene in May, as the work of the Evil Corp group (a.k.a. Dudear). Evil Corp is also associated with the Dridex banking trojan and the BitPaymer ransomware.
Evil Corp’s previous schemes involved capturing banking credentials with Dridex and then making unauthorized electronic funds transfers from unknowing victims’ bank accounts. Money mules would then receive these stolen funds into their bank accounts, and transport the funds overseas. Multiple companies were targeted by Dridex, costing them millions of dollars; victims included two banks, a school district, a petroleum business, building materials supply company and others.
In December, the Feds started cracking down on the group: U.S. authorities offered up $5 million for information leading to the arrest of Evil Corp. leader Maksim V. Yakubets, 32, of Russia, who goes under the moniker “aqua.” Separately, the U.S. Treasury Department in January issued sanctions against Evil Corp, “as part of a sweeping action against one of the world’s most prolific cybercriminal organizations.”
This is a developing story and Threatpost will update the reporting as it evolves.