[HN Gopher] Garmin obtains decryption key after ransomware attack
___________________________________________________________________
Garmin obtains decryption key after ransomware attack
Author : thinkmassive
Score : 130 points
Date : 2020-07-27 18:24 UTC (4 hours ago)
(HTM) web link (news.sky.com)
(TXT) w3m dump (news.sky.com)
| Alex3917 wrote:
| > If a payment was made through a third party it could also be
| covered by the Treasury sanctions, which warn: "Foreign persons
| may be subject to secondary sanctions for knowingly facilitating
| a significant transaction or transactions with these designated
| persons."
|
| I accidentally took a phone call for a job that basically
| involved using Bitcoin to launder money to send ransom payments
| to terrorists. They told me that although it's technically
| illegal, the U.S. government has never prosecuted anyone for
| paying a ransom. I noped out after the first phone call for
| obvious reasons, but it was pretty interesting just to learn
| about the industry.
|
| Anyway when Garmin says they didn't pay the ransom themselves,
| they are telling the truth, instead they would have used this
| company or one of their competitors. You can't just open a
| Coinbase Pro account and buy 10 million BTC and transfer it your
| first day. No bank is going to allow you to do that, since they
| would then be liable for facilitating that transaction. Instead
| you need to contract with a company that specializes in ransom
| payments and has already accumulated the crypto in advance. Then
| you pay them a percentage for their services.
| CobrastanJorji wrote:
| Weird. I would think that while it's not worth the government's
| time to go after individual companies paying off ransoms, it
| would definitely be worth their time to go after a business
| professionally focused on paying illegal ransoms who tell
| interview candidates that they are aware that what they do is
| illegal.
| Alex3917 wrote:
| Maybe, maybe not. It's technically illegal to grow or possess
| any amount of weed, but in practice you don't get prosecuted
| (by the feds) unless you have over 100 plants or thousands of
| pounds. Until ~2004 it was illegal for native Americans to be
| within Boston city limits.
|
| There are thousands of things that are illegal, but in
| practice are rarely or ever prosecuted, even in cases where
| people are violating those laws at pretty significant scales.
|
| In my case that's not a risk I'd be willing to take, but I
| can see why other people would. The reason it's not
| prosecuted though isn't because of companies, it's because
| there are lots of wealthy people who travel overseas and then
| get kidnapped, and the government isn't going to prosecute
| their families for paying to not have their kids dismembered
| and the videos posted on YouTube. The reason companies aren't
| prosecuted is mainly because once you decide not to prosecute
| families for doing this, then anyone else can make an equal
| protection argument.
| phjesusthatguy3 wrote:
| >It's technically illegal to grow or possess any amount of
| weed
|
| Federally. The states have made this all higgledy-piggledy.
| And since there's money (legit retail income and state
| sales tax) involved, I'm surprised we don't have more
| federal troops kicking down more retail establishment
| doors.
| codeflo wrote:
| The perspective that there are "thousands of things that
| are illegal" but not prosecuted always fascinates me,
| that's not at all a common perception e.g. here in Germany.
| Is that a difference between common law and civil law
| systems? Maybe in places where code law is mostly binding,
| there's a lot more pressure on the legislature to keep the
| law books up to date with the current norms of society.
| mohaine wrote:
| Basically, many laws overlap and it isn't always clear
| what applies. A new law may pass but they don't go strike
| through all the old laws that no longer apply.
|
| Also there are laws that reference other country's laws.
| An example is that is (or was) illegal to buy/posses a
| type of meat in the US that is illegal in other
| jurisdictions. This was made to protect endangered
| animals but can easily apply to everything as there are
| lot of jurisdictions and who really knows if any one of
| them currently doesn't allow pork or beef for whatever
| reason.
|
| More details here a few minutes in:
| https://www.youtube.com/watch?v=d-7o9xYp7eE
| GlenTheMachine wrote:
| Personally I see a big difference in the philosophy of
| lawmaking in the US vs Germany. Take driving, for
| instance. In the US, almost anyone who can physically
| climb behind the driver's seat of a car can get a
| drivers' license, and indeed having a drivers' license in
| the US is almost a fundamental right. Speed limits are
| then set, to first order, to accommodate the fact that
| you have marginal drivers behind the wheel. In addition,
| the police can - and do - selectively enforce driving
| laws. Ideally that power would be used to keep truly bad
| drivers off the roads, although the current civil unrest
| in America shows that that selective enforcement is, to
| put it mildly, abused.
|
| In Germany, the barrier to getting a drivers' license is
| much higher. More training, more stringent tests. But the
| effect of that is that drivers are (mostly) assumed to be
| able to adapt their driving to road conditions; as a
| consequence, you get unlimited legal driving speeds on
| part of the German road system. In good weather, traffic
| permitting.
|
| Of course, there are confounding facts: in my experience
| the average physical state of a car is much better in
| Germany than the US, and highways are better maintained.
| But still, the contrast is interesting. In the US,
| lifting speed limits on even straight roads through the
| desert would have poor outcomes.
| aka1234 wrote:
| I can only speak from my layman's understanding of US
| law. In the US, there's a doctrine prosecutorial
| discretion. Basically the police and prosecutors can
| choose whether to arrest and charge someone for a crime.
|
| > "Maybe in places where code law is mostly binding,
| there's a lot more pressure on the legislature to keep
| the law books up to date with the current norms of
| society."
|
| In the US, where everything is so entwined with politics,
| there's a lot unenforceable laws still on the books.
|
| For example, the US Supreme Court struck down sodomy laws
| in 2003. Last I checked, Texas still has a law on the
| books criminalizing sodomy. Sure Texas can't enforce it,
| but the conservative majority in the legislature won't
| actually repeal the law because politics. Similarly, when
| the US Supreme Court ruled that banning same-sex marriage
| was unconstitutional, Texas had to recognize same-sex
| marriage. But there was no law allowing same-sex couples
| to divorce. So there was this weird limbo wherein you
| couldn't get divorced if you were in a same-sex marriage.
|
| America is weird.
| roywiggins wrote:
| There's a difference between laws that exist but are
| rendered moot by a court ruling it unconstitutional, and
| laws that exist and are constitutional but are just never
| used, and laws that exist, and are probably not
| constitutional, but aren't used, so have never been
| challenged.
|
| For all intents and purposes sodomy was made legal by the
| 2003 precedent; that those laws are still technically in
| black-and-white doesn't mean they're in force.
|
| But there are lots of laws that are still in force but
| aren't actually picked up and used much. They're still
| there, though. For instance, hardly anyone was prosecuted
| for Espionage Act violations for decades, but nobody
| disputes that the DoJ can dust that law off and start
| using it again, subject to the current jurisprudence on
| free speech etc.
| [deleted]
| cheschire wrote:
| In Germany it's currently illegal for someone to leave an
| escooter outside of a designated parking space. How many
| of them have you seen just laying around? I know in Mainz
| I've seen dozens.
|
| Just saying, there's plenty of laws here that aren't
| prosecuted either.
| paulcole wrote:
| In Germany it seems as if something is outlawed then it
| is believed that thing physically can't be done. In the
| United States, we take it as a challenge!
| meowface wrote:
| It's a pretty legit business model; just because it's illegal
| doesn't necessarily mean the government wants to go after
| them. "Focused on paying illegal ransoms" = "allows companies
| to recover from devastating attacks by being a middle-man for
| paying the extortion fee and getting the decryption keys".
| It's probably one of those things that the government tells
| people not to do, but acknowledges is inevitable in many
| cases.
|
| A company I worked at once had a meeting with such a firm,
| and it all sounded pretty reasonable to me. Obviously, one
| would hope the company has backups (which are stored in a
| place that can't itself become encrypted), but if they don't,
| sometimes the cost of paying the ransom is far, far lower
| than the cost of staying down. These middle-man firms have
| probably saved companies from enormous amounts of damage.
| Another commenter claimed these companies are often in
| cahoots with the ransomers, which maybe is sometimes true,
| but I highly doubt it in the case of the company we dealt
| with, or other US-based companies with physical locations
| that meet on-site.
|
| Of course in an ideal world no one wants to reward criminals,
| but just to give an extreme example, if someone kidnapped one
| of your children and held them hostage, you'd probably pay
| anything to get them back, and that's not far off from the
| situation some ransomware-affected companies end up in.
| Dahoon wrote:
| When most of them are from a little connected with the
| hackers to basically the same people and live off of
| ransoms I wouldn't use words like Pretty legit. I'm sure
| the exact business you have worked with is very different,
| in your opinion. I'm also sure everyone says that. I doubt
| a single of these businesses exists that isn't connected to
| hackers at all. How about a name if you are sure and we'll
| see?
| SkyBelow wrote:
| If I handed you $110 to go buy $100 of drugs, then I'm still
| paying for the drugs. What judge would be willing to allow such
| a gotcha to actually pass? There would be a massive industry
| for legally paying for illegal things if that were the case.
|
| Then again, the acceptability of a gotcha seems to correlate
| more with the amount of money spent on lawyers than on the
| rationality of the gotcha, so as long as they have a large
| enough legal department the worse they'll have is a fine that
| they likely already included in the cost of the attack.
| brianbreslin wrote:
| I heard on NPR I think that some of these middlemen companies
| are actually often in cahoots with the ransomware distributors.
| superhuzza wrote:
| I remember reading a fascinating article on the nature of the
| companies that deal with ransomware. I think it was this one.
|
| The TLDR is that these middleman companies allow ransomware
| victims to both pay the fine and save face, by acting as if
| they didn't pay the fine. The perpetrators prefer to deal
| with the middlemen as they know how to pay in crypto, and are
| predictable - the middleman and the hackers are closer to
| partners than adversaries.
|
| https://features.propublica.org/ransomware/ransomware-
| attack...
| mytailorisrich wrote:
| I don't think that it is illegal to pay a ransom in general
| under US law. It is illegal to receive a ransom, though. As
| mentioned in the article, they are caveats related to terrorism
| and to dealing with entities on sanctions lists.
|
| Now, if Garmin obtained the decryption keys, as is alleged in
| the article, it is clear that they paid. Note that the
| 'anonymous sources' cited did not even deny payment but only
| used a weasel turn of phrase 'did not directly make a payment',
| which is quite different from 'did not pay'. My best guess, if
| a payment was made, is that they hired people experts in
| dealing with these situations who arranged everything and who
| will bill for 'consulting services'...
| Alex3917 wrote:
| > I don't think that it is illegal to pay a ransom in general
| under US law.
|
| I mean I'm pretty sure you're not allowed to go wire money to
| Al Qaeda, or to conspire to evade anti money laundering
| controls in order to do so.
| gpm wrote:
| I'm curious, when you say terrorist, do you mean groups like
| Evil Corp (mentioned in the article), or do you mean groups of
| more "traditional" terrorists funding themselves via malware?
|
| Edit: Or were the ransomware payments at hand not even malware
| related, but more "traditional" ransoms?
| truthwhisperer wrote:
| that probably points them to the right direction. However, would
| be scared to trust Garmin with any medical or medical related
| data. This happening is a big no-go
| bt3 wrote:
| It's not clear to me from the article that Garmin did in fact get
| the decryption key. There's enough verbiage suggesting they _didn
| 't_ pay the ransom, so are we to assume they had other means?
|
| It also took Garmin quite awhile to acknowledge the ongoing
| situation formally (their outage page has been accurate with red
| lights across the board). Could it be that Garmin just started to
| spin up more hardware and began a migration of their last
| backups? (I'm so far removed from how their service operates so
| apologies if this sounds impractical)
| solumos wrote:
| Migrating to backups seems possible. Garmin is pretty complex
| in that it produces hardware and software across a few
| verticals, but I don't think there's anything that makes them
| particularly unique in the way they'd handle backups/failover.
|
| I think it's also possible that Garmin proactively pulled the
| plug on their public-facing services in order to mitigate the
| spread of the attack. It would be _really_ bad if the attackers
| could make the hop from Garmin's web services to consumer
| devices.
| adwww wrote:
| ...or avionics systems for that matter!
| sh-run wrote:
| I'd be curious to know what all was actually impacted by the
| ransomware. It sounds like they shutdown all their services in
| order to assess the damage.
|
| Maybe this only affected their corporate infrastructure or
| manufacturing infrastructure. Looking through my connect
| account I don't see any missing data that would point to a
| backup old enough to not be encrypted. My watch does store some
| information offline so it could be that any gaps have already
| been filled in or it could be that connect was encrypted and
| has since been decrypted.
| prh8 wrote:
| Yeah it's just a very poor article all around. Literally
| nothing to support the title of the entire article.
| vb6sp6 wrote:
| > There's enough verbiage suggesting they didn't pay the ransom
|
| It says they "did not directly make a payment to the hackers".
| You can't just take 10mil and convert it to bitcoin. My best
| guess is that a 3rd party made the payment and garmin will be
| reimbursing
| NotSammyHagar wrote:
| saying they did not directly make a payment makes it certain
| someone paid.
| _salmon wrote:
| There's nothing definitive that says they paid the ransom or
| obtained the decryption key from the attackers. Rumors on Twitter
| say that they're rebuilding services from backups and slowly
| getting things back online
| solumos wrote:
| I can imagine it's possible that a 1-week outage + cyber risk
| insurance claim + rebuilding from backups could net out to less
| than $10M.
| nomdep wrote:
| It doesn't matter. Unless a live is at risk, you never ever
| pay ransoms, or others will try again.
| keitmo wrote:
| The outage took out at least some of their aviation
| services. If they are unable to update routes and IFR
| approach procedures then lives could indeed be at risk.
| aaronmdjones wrote:
| Not quite. The onus is on the pilots to never fly with
| out-of-date navigation information (it's actually
| illegal), so if they can't get that from Garmin, they'd
| just have to get it from somewhere else instead. Garmin's
| data services being unavailable isn't endangering anyone.
| Scoundreller wrote:
| Yep, Plenty of planes flying out there without any
| electronic maps.
|
| The attack happened about a week after the FAA's last
| update went into force. And I believe they're distributed
| a week before that.
|
| So the only groundings would've been those that have been
| parked for a while (I guess. I don't know how they do
| updates).
|
| https://www.faa.gov/air_traffic/flight_info/aeronav/aero_
| dat...
|
| --armchair aviator
| justapassenger wrote:
| It's super easy to make statements like that, when you are
| unaffected third party.
|
| I'm against fueling ransoms, but this isn't black and white
| when it hits home.
| blackboxlogic wrote:
| Ex Garmin employee here. Some of their infrastructure
| supports emergency response. Hard to know how much of what
| went offline, but if /that/ goes down, people die. On-call
| was not fun.
| blackboxlogic wrote:
| Also should note: the life-critical infrastructure was
| somewhat insolated from the rest of it.
| obmelvin wrote:
| supposedly inReach wasn't included in the down time?
| Wonder if due to better infra or just highly (and
| rightfully so) prioritized once things went south
| blackboxlogic wrote:
| Checking https://status.inreach.garmin.com/ (oh the
| memories) Looks like the meat and potatoes held together!
| I'd credit segregated infrastructure and redundancy.
| Scoundreller wrote:
| Most of it runs over Iridium, so I wonder how much IoT is
| really involved vs just being a different hardware front-
| end for Iridium services.
| obmelvin wrote:
| Ah, that would probably explain it. I was wondering if
| the actors wanted to avoid touching services that could
| impact peoples lives, due to that potentially leading to
| more motivated investigations. Possibly, but also could
| just be that it is largely a hardware front-end for
| Iridium's service.
| hangonhn wrote:
| I wonder if going after such a well known target was a mistake
| since once the news leaked out it put Garmin in a position where
| it would be much harder for them to pay the ransom. I wonder if
| their chances of success are higher by going after a larger
| number of lesser known and less valuable targets who may not
| garner the attention nor have the IT staff to deal with the
| issue.
| interestica wrote:
| But then you're not going to get as high of a payout? Maybe
| this math works, or maybe it's a feeler to figure out where the
| line is.
| NotSammyHagar wrote:
| I'm quite surprised that people seem kind of ok with the idea of
| ransomware. It's a horrible, criminal corrupt practice and it's
| destructive to pay or participate in anything to do with this.
| bitxbitxbitcoin wrote:
| I think the kind of ok feel is from the "they should have had
| backups, that'll teach 'em" crowd.
| rodgerd wrote:
| I am a lot more interested in the answers to questions like:
|
| 1. Why was there lateral spread across low-criticality devices
| fitness devices and avionics devices?
|
| 2. Why was there lateral spread across manufacturing, customer
| support, and PII regions?
|
| 3. What assurances are there that health information wasn't
| leaked?
|
| 4. What's the general security position around avionics, marine,
| and health data at Garmin?
| Spooky23 wrote:
| Segmentation is expensive and slows stuff down. Businesses are
| bad at segmenting risk.
|
| I'd expect the avionics and marine stuff to be a little better
| due to compliance requirements.
| dylan604 wrote:
| I don't know. It seems like whenever a company needs to have
| data shared, it by default is siloed. Yet when a company
| needs siloed/segmented verticals, they are shared with no
| boundaries. You rarely hear about companies that have done it
| correctly, yet everyone has worked for a company that does it
| badly.
| interestica wrote:
| > Smartwatch maker Garmin has obtained the decryption key to
| recover its computer files from a ransomware attack last
| Thursday, Sky News has learned.
|
| Is this really the aspect of their business that they're most
| known for now? I still think of them as a GPS/Geolocation device
| company.
| thelean12 wrote:
| GPS smart watches are probably their most successful consumer
| product currently. If you glance at their website you might
| think that's all that they do.
| SimonPStevens wrote:
| This title is overly misleading. There is no evidence presented
| in the article to even suggest they paid the ransom. And Garmin
| declined to comment.
|
| It's possible they paid, but it's also possible they are just
| restoring backups.
| NotSammyHagar wrote:
| I'm certain they paid, that's why they are making ambiguous
| statements. I hope they prosecute them for this payment. An
| indirect payment is still a criminal action in my opinion. If
| the mafia said they'd burn their building down or kill their
| ceo or whatever, and they paid them off through some abstract
| indirect transaction it would still be wrong.
|
| This should make them a direct target now, they will pay you
| off. Among many many reasons allowing payments like this will
| just encourage these criminals to keep doing this bullshit.
| beloch wrote:
| If they didn't pay off the hackers and are recovering on their
| own, it would be in Garmin's best interests to issue a public
| statement explicitly saying so. Failing to do so may make them
| a target for other hacker groups. Their vulnerability is now
| proven and their willingness to pay strongly suggested.
| SkyBelow wrote:
| Even if they did pay, wouldn't it still be better to say they
| were restoring from backups? Makes them look far less
| vulnerable to the attack and they can likely wrap it with
| enough PR speak to not be technically lying. Arguably about
| as morally troublesome of an act as paying for the ransom.
| gruez wrote:
| >Even if they did pay, wouldn't it still be better to say
| they were restoring from backups?
|
| Probably because that would be securities fraud? You'd be
| essentially duping investors into thinking the company is
| better than it is. eg. if there was a fire in your widget
| factory and the whole place got destroyed, you can't turn
| around and tell investors "everything's fine, the fire
| suppression system worked as intended", because you'd be
| lying to investors about the state of the company.
| exabrial wrote:
| I should be able to see all of my locally recorded stuff without
| the cloud.
|
| I was happy that basic functions of my Garmin Venu continued to
| work. But some stuff should be cached, or stuff that hasn't been
| sync'd should be available locally.
| jrockway wrote:
| Has there been any discussion about the technical details of the
| attack? I am having a hard time imagining how a compromise of a
| workstation could result in the entire company -- their own apps,
| their call center -- going down for days. I can see how malware
| could break production severely ("kubectl delete deployments"
| from a trusted workstation). I can see how malware can wipe out
| your desktop. I can see how malware could f your cloud
| infrastructure account. But I'm not drawing the line to "we can't
| build a new release and deploy it on another provider" or "we
| can't buy an emergency Dialpad account to start taking calls from
| customers".
|
| My guess is this: two separate attacks occurred. The first attack
| involved compromising production, and installed a scheduled job
| that, at a certain time, would delete all database backups and
| code repositories, deschedule all workloads, delete all DNS
| records, etc. The next attack involves the fact that all source
| code is on managed workstations, so they compromised the IT
| management system to push malware to every machine globally at
| the exact same time that would destroy all git repositories
| (etc.) on the workstations. The result was that when the
| scheduled time occurred, production would crash and there would
| be no backups. (They must have wiped all the tapes at their
| offsite backup facility, too. I guess anything can be done for a
| price!)
|
| To me, this sounds too complicated to even be feasible. I am
| still impressed when I edit some manifest with a new version
| number that 90% of the time that code eventually starts running.
| Being able to orchestrate a multiday outage just seems amazing to
| me, and that you'd make a lot more money being a cloud provider
| than a cybercriminal.
|
| The other thought I had was that maybe they just kept thinking
| "we're so close to getting it back" for three days, rather than
| saying "everything is lost, revert to backups".
| interestica wrote:
| The impression I got was that the call centre/apps were taken
| down as preventative measure by their own IT dept. It was
| probably best for a PR standpoint to keep the call centre
| silent rather than having a defacto-inoperable call centre
| inundated with calls about the broken service.
| james412 wrote:
| > I am having a hard time imagining how a compromise of a
| workstation could result in the entire company -- their own
| apps, their call center -- going down for days
|
| Can't guess at specifics, but if it's a Windows network, I
| would be utterly unsurprised if all users had excess
| permissions to shared drives
|
| Many Windows networks just have a giant X: everyone can write
| to, and it's been like that forever, and it's so deeply baked
| into everyone's workflow that it never gets fixed
| stefan_ wrote:
| Is it common practice to have the servers running your
| production (not in the manufacturing sense) cloud services
| _join the AD domain that has your office staff in it_? Why?
| That doesn 't even make any sense from a convenience PoV.
|
| It just seems like an unfathomable level of incompetence
| required to go from compromising some random Windows
| workstation all across the hardware that runs your app
| services. And lest we forget: a ransomware attack is always
| also a massive _data loss attack_. Garmin better get to work
| complying with the law and notifying impacted customers (all
| of them?).
| EvanAnderson wrote:
| I would presume that the attacker was able to obtain Domain
| Admin / Enterprise Admin rights before they deployed the
| payload, then they just steamrolled over everything.
|
| The one of these that I got called-in to clean up after
| literally had a batch file on Domain Controllers w/ a text
| file of computer names for a FOR loop launching the malware
| on computer-after-computer with "psexec". It was decidedly
| non-sophisticated. The attacker compromised a Domain Admin
| account and then they were set.
| verytrivial wrote:
| For the vast majority of users Garmin have ZERO liability re data
| retention. They could just say WHOOPS! and zero all accounts and
| require everyone to resync. And I would have respected them for
| that as they've now sent $10M to these assailants to increase the
| sophistication of their attacks and retain/lure/entrap more
| skilled developers. But then I'm a bit of a moral absolutist.
|
| If their financial records were all toast too I wonder what the
| fines would have been ...
| cafebabbe wrote:
| brand reputation is a heck of a liability
| ideals wrote:
| A few people have commented on the logistics of paying a large
| Bitcoin ransom which can entail hiring a 3rd party to pay it.
|
| Could an independent party buy the decryption keys from the
| ransomware party for their asking price then attempt to resell
| this to Garmin (or other party) for more money?
|
| Of course it's a bit game theory because you're depending on the
| target to pay and the ransomware attacker to not relinquish and
| resell the key to anyone else including the target.
|
| Ignore the legality of it all else it's not very interesting to
| think about.
___________________________________________________________________
(page generated 2020-07-27 23:00 UTC)