[HN Gopher] Garmin obtains decryption key after ransomware attack ___________________________________________________________________ Garmin obtains decryption key after ransomware attack Author : thinkmassive Score : 130 points Date : 2020-07-27 18:24 UTC (4 hours ago) (HTM) web link (news.sky.com) (TXT) w3m dump (news.sky.com) | Alex3917 wrote: | > If a payment was made through a third party it could also be | covered by the Treasury sanctions, which warn: "Foreign persons | may be subject to secondary sanctions for knowingly facilitating | a significant transaction or transactions with these designated | persons." | | I accidentally took a phone call for a job that basically | involved using Bitcoin to launder money to send ransom payments | to terrorists. They told me that although it's technically | illegal, the U.S. government has never prosecuted anyone for | paying a ransom. I noped out after the first phone call for | obvious reasons, but it was pretty interesting just to learn | about the industry. | | Anyway when Garmin says they didn't pay the ransom themselves, | they are telling the truth, instead they would have used this | company or one of their competitors. You can't just open a | Coinbase Pro account and buy 10 million BTC and transfer it your | first day. No bank is going to allow you to do that, since they | would then be liable for facilitating that transaction. Instead | you need to contract with a company that specializes in ransom | payments and has already accumulated the crypto in advance. Then | you pay them a percentage for their services. | CobrastanJorji wrote: | Weird. I would think that while it's not worth the government's | time to go after individual companies paying off ransoms, it | would definitely be worth their time to go after a business | professionally focused on paying illegal ransoms who tell | interview candidates that they are aware that what they do is | illegal. | Alex3917 wrote: | Maybe, maybe not. It's technically illegal to grow or possess | any amount of weed, but in practice you don't get prosecuted | (by the feds) unless you have over 100 plants or thousands of | pounds. Until ~2004 it was illegal for native Americans to be | within Boston city limits. | | There are thousands of things that are illegal, but in | practice are rarely or ever prosecuted, even in cases where | people are violating those laws at pretty significant scales. | | In my case that's not a risk I'd be willing to take, but I | can see why other people would. The reason it's not | prosecuted though isn't because of companies, it's because | there are lots of wealthy people who travel overseas and then | get kidnapped, and the government isn't going to prosecute | their families for paying to not have their kids dismembered | and the videos posted on YouTube. The reason companies aren't | prosecuted is mainly because once you decide not to prosecute | families for doing this, then anyone else can make an equal | protection argument. | phjesusthatguy3 wrote: | >It's technically illegal to grow or possess any amount of | weed | | Federally. The states have made this all higgledy-piggledy. | And since there's money (legit retail income and state | sales tax) involved, I'm surprised we don't have more | federal troops kicking down more retail establishment | doors. | codeflo wrote: | The perspective that there are "thousands of things that | are illegal" but not prosecuted always fascinates me, | that's not at all a common perception e.g. here in Germany. | Is that a difference between common law and civil law | systems? Maybe in places where code law is mostly binding, | there's a lot more pressure on the legislature to keep the | law books up to date with the current norms of society. | mohaine wrote: | Basically, many laws overlap and it isn't always clear | what applies. A new law may pass but they don't go strike | through all the old laws that no longer apply. | | Also there are laws that reference other country's laws. | An example is that is (or was) illegal to buy/posses a | type of meat in the US that is illegal in other | jurisdictions. This was made to protect endangered | animals but can easily apply to everything as there are | lot of jurisdictions and who really knows if any one of | them currently doesn't allow pork or beef for whatever | reason. | | More details here a few minutes in: | https://www.youtube.com/watch?v=d-7o9xYp7eE | GlenTheMachine wrote: | Personally I see a big difference in the philosophy of | lawmaking in the US vs Germany. Take driving, for | instance. In the US, almost anyone who can physically | climb behind the driver's seat of a car can get a | drivers' license, and indeed having a drivers' license in | the US is almost a fundamental right. Speed limits are | then set, to first order, to accommodate the fact that | you have marginal drivers behind the wheel. In addition, | the police can - and do - selectively enforce driving | laws. Ideally that power would be used to keep truly bad | drivers off the roads, although the current civil unrest | in America shows that that selective enforcement is, to | put it mildly, abused. | | In Germany, the barrier to getting a drivers' license is | much higher. More training, more stringent tests. But the | effect of that is that drivers are (mostly) assumed to be | able to adapt their driving to road conditions; as a | consequence, you get unlimited legal driving speeds on | part of the German road system. In good weather, traffic | permitting. | | Of course, there are confounding facts: in my experience | the average physical state of a car is much better in | Germany than the US, and highways are better maintained. | But still, the contrast is interesting. In the US, | lifting speed limits on even straight roads through the | desert would have poor outcomes. | aka1234 wrote: | I can only speak from my layman's understanding of US | law. In the US, there's a doctrine prosecutorial | discretion. Basically the police and prosecutors can | choose whether to arrest and charge someone for a crime. | | > "Maybe in places where code law is mostly binding, | there's a lot more pressure on the legislature to keep | the law books up to date with the current norms of | society." | | In the US, where everything is so entwined with politics, | there's a lot unenforceable laws still on the books. | | For example, the US Supreme Court struck down sodomy laws | in 2003. Last I checked, Texas still has a law on the | books criminalizing sodomy. Sure Texas can't enforce it, | but the conservative majority in the legislature won't | actually repeal the law because politics. Similarly, when | the US Supreme Court ruled that banning same-sex marriage | was unconstitutional, Texas had to recognize same-sex | marriage. But there was no law allowing same-sex couples | to divorce. So there was this weird limbo wherein you | couldn't get divorced if you were in a same-sex marriage. | | America is weird. | roywiggins wrote: | There's a difference between laws that exist but are | rendered moot by a court ruling it unconstitutional, and | laws that exist and are constitutional but are just never | used, and laws that exist, and are probably not | constitutional, but aren't used, so have never been | challenged. | | For all intents and purposes sodomy was made legal by the | 2003 precedent; that those laws are still technically in | black-and-white doesn't mean they're in force. | | But there are lots of laws that are still in force but | aren't actually picked up and used much. They're still | there, though. For instance, hardly anyone was prosecuted | for Espionage Act violations for decades, but nobody | disputes that the DoJ can dust that law off and start | using it again, subject to the current jurisprudence on | free speech etc. | [deleted] | cheschire wrote: | In Germany it's currently illegal for someone to leave an | escooter outside of a designated parking space. How many | of them have you seen just laying around? I know in Mainz | I've seen dozens. | | Just saying, there's plenty of laws here that aren't | prosecuted either. | paulcole wrote: | In Germany it seems as if something is outlawed then it | is believed that thing physically can't be done. In the | United States, we take it as a challenge! | meowface wrote: | It's a pretty legit business model; just because it's illegal | doesn't necessarily mean the government wants to go after | them. "Focused on paying illegal ransoms" = "allows companies | to recover from devastating attacks by being a middle-man for | paying the extortion fee and getting the decryption keys". | It's probably one of those things that the government tells | people not to do, but acknowledges is inevitable in many | cases. | | A company I worked at once had a meeting with such a firm, | and it all sounded pretty reasonable to me. Obviously, one | would hope the company has backups (which are stored in a | place that can't itself become encrypted), but if they don't, | sometimes the cost of paying the ransom is far, far lower | than the cost of staying down. These middle-man firms have | probably saved companies from enormous amounts of damage. | Another commenter claimed these companies are often in | cahoots with the ransomers, which maybe is sometimes true, | but I highly doubt it in the case of the company we dealt | with, or other US-based companies with physical locations | that meet on-site. | | Of course in an ideal world no one wants to reward criminals, | but just to give an extreme example, if someone kidnapped one | of your children and held them hostage, you'd probably pay | anything to get them back, and that's not far off from the | situation some ransomware-affected companies end up in. | Dahoon wrote: | When most of them are from a little connected with the | hackers to basically the same people and live off of | ransoms I wouldn't use words like Pretty legit. I'm sure | the exact business you have worked with is very different, | in your opinion. I'm also sure everyone says that. I doubt | a single of these businesses exists that isn't connected to | hackers at all. How about a name if you are sure and we'll | see? | SkyBelow wrote: | If I handed you $110 to go buy $100 of drugs, then I'm still | paying for the drugs. What judge would be willing to allow such | a gotcha to actually pass? There would be a massive industry | for legally paying for illegal things if that were the case. | | Then again, the acceptability of a gotcha seems to correlate | more with the amount of money spent on lawyers than on the | rationality of the gotcha, so as long as they have a large | enough legal department the worse they'll have is a fine that | they likely already included in the cost of the attack. | brianbreslin wrote: | I heard on NPR I think that some of these middlemen companies | are actually often in cahoots with the ransomware distributors. | superhuzza wrote: | I remember reading a fascinating article on the nature of the | companies that deal with ransomware. I think it was this one. | | The TLDR is that these middleman companies allow ransomware | victims to both pay the fine and save face, by acting as if | they didn't pay the fine. The perpetrators prefer to deal | with the middlemen as they know how to pay in crypto, and are | predictable - the middleman and the hackers are closer to | partners than adversaries. | | https://features.propublica.org/ransomware/ransomware- | attack... | mytailorisrich wrote: | I don't think that it is illegal to pay a ransom in general | under US law. It is illegal to receive a ransom, though. As | mentioned in the article, they are caveats related to terrorism | and to dealing with entities on sanctions lists. | | Now, if Garmin obtained the decryption keys, as is alleged in | the article, it is clear that they paid. Note that the | 'anonymous sources' cited did not even deny payment but only | used a weasel turn of phrase 'did not directly make a payment', | which is quite different from 'did not pay'. My best guess, if | a payment was made, is that they hired people experts in | dealing with these situations who arranged everything and who | will bill for 'consulting services'... | Alex3917 wrote: | > I don't think that it is illegal to pay a ransom in general | under US law. | | I mean I'm pretty sure you're not allowed to go wire money to | Al Qaeda, or to conspire to evade anti money laundering | controls in order to do so. | gpm wrote: | I'm curious, when you say terrorist, do you mean groups like | Evil Corp (mentioned in the article), or do you mean groups of | more "traditional" terrorists funding themselves via malware? | | Edit: Or were the ransomware payments at hand not even malware | related, but more "traditional" ransoms? | truthwhisperer wrote: | that probably points them to the right direction. However, would | be scared to trust Garmin with any medical or medical related | data. This happening is a big no-go | bt3 wrote: | It's not clear to me from the article that Garmin did in fact get | the decryption key. There's enough verbiage suggesting they _didn | 't_ pay the ransom, so are we to assume they had other means? | | It also took Garmin quite awhile to acknowledge the ongoing | situation formally (their outage page has been accurate with red | lights across the board). Could it be that Garmin just started to | spin up more hardware and began a migration of their last | backups? (I'm so far removed from how their service operates so | apologies if this sounds impractical) | solumos wrote: | Migrating to backups seems possible. Garmin is pretty complex | in that it produces hardware and software across a few | verticals, but I don't think there's anything that makes them | particularly unique in the way they'd handle backups/failover. | | I think it's also possible that Garmin proactively pulled the | plug on their public-facing services in order to mitigate the | spread of the attack. It would be _really_ bad if the attackers | could make the hop from Garmin's web services to consumer | devices. | adwww wrote: | ...or avionics systems for that matter! | sh-run wrote: | I'd be curious to know what all was actually impacted by the | ransomware. It sounds like they shutdown all their services in | order to assess the damage. | | Maybe this only affected their corporate infrastructure or | manufacturing infrastructure. Looking through my connect | account I don't see any missing data that would point to a | backup old enough to not be encrypted. My watch does store some | information offline so it could be that any gaps have already | been filled in or it could be that connect was encrypted and | has since been decrypted. | prh8 wrote: | Yeah it's just a very poor article all around. Literally | nothing to support the title of the entire article. | vb6sp6 wrote: | > There's enough verbiage suggesting they didn't pay the ransom | | It says they "did not directly make a payment to the hackers". | You can't just take 10mil and convert it to bitcoin. My best | guess is that a 3rd party made the payment and garmin will be | reimbursing | NotSammyHagar wrote: | saying they did not directly make a payment makes it certain | someone paid. | _salmon wrote: | There's nothing definitive that says they paid the ransom or | obtained the decryption key from the attackers. Rumors on Twitter | say that they're rebuilding services from backups and slowly | getting things back online | solumos wrote: | I can imagine it's possible that a 1-week outage + cyber risk | insurance claim + rebuilding from backups could net out to less | than $10M. | nomdep wrote: | It doesn't matter. Unless a live is at risk, you never ever | pay ransoms, or others will try again. | keitmo wrote: | The outage took out at least some of their aviation | services. If they are unable to update routes and IFR | approach procedures then lives could indeed be at risk. | aaronmdjones wrote: | Not quite. The onus is on the pilots to never fly with | out-of-date navigation information (it's actually | illegal), so if they can't get that from Garmin, they'd | just have to get it from somewhere else instead. Garmin's | data services being unavailable isn't endangering anyone. | Scoundreller wrote: | Yep, Plenty of planes flying out there without any | electronic maps. | | The attack happened about a week after the FAA's last | update went into force. And I believe they're distributed | a week before that. | | So the only groundings would've been those that have been | parked for a while (I guess. I don't know how they do | updates). | | https://www.faa.gov/air_traffic/flight_info/aeronav/aero_ | dat... | | --armchair aviator | justapassenger wrote: | It's super easy to make statements like that, when you are | unaffected third party. | | I'm against fueling ransoms, but this isn't black and white | when it hits home. | blackboxlogic wrote: | Ex Garmin employee here. Some of their infrastructure | supports emergency response. Hard to know how much of what | went offline, but if /that/ goes down, people die. On-call | was not fun. | blackboxlogic wrote: | Also should note: the life-critical infrastructure was | somewhat insolated from the rest of it. | obmelvin wrote: | supposedly inReach wasn't included in the down time? | Wonder if due to better infra or just highly (and | rightfully so) prioritized once things went south | blackboxlogic wrote: | Checking https://status.inreach.garmin.com/ (oh the | memories) Looks like the meat and potatoes held together! | I'd credit segregated infrastructure and redundancy. | Scoundreller wrote: | Most of it runs over Iridium, so I wonder how much IoT is | really involved vs just being a different hardware front- | end for Iridium services. | obmelvin wrote: | Ah, that would probably explain it. I was wondering if | the actors wanted to avoid touching services that could | impact peoples lives, due to that potentially leading to | more motivated investigations. Possibly, but also could | just be that it is largely a hardware front-end for | Iridium's service. | hangonhn wrote: | I wonder if going after such a well known target was a mistake | since once the news leaked out it put Garmin in a position where | it would be much harder for them to pay the ransom. I wonder if | their chances of success are higher by going after a larger | number of lesser known and less valuable targets who may not | garner the attention nor have the IT staff to deal with the | issue. | interestica wrote: | But then you're not going to get as high of a payout? Maybe | this math works, or maybe it's a feeler to figure out where the | line is. | NotSammyHagar wrote: | I'm quite surprised that people seem kind of ok with the idea of | ransomware. It's a horrible, criminal corrupt practice and it's | destructive to pay or participate in anything to do with this. | bitxbitxbitcoin wrote: | I think the kind of ok feel is from the "they should have had | backups, that'll teach 'em" crowd. | rodgerd wrote: | I am a lot more interested in the answers to questions like: | | 1. Why was there lateral spread across low-criticality devices | fitness devices and avionics devices? | | 2. Why was there lateral spread across manufacturing, customer | support, and PII regions? | | 3. What assurances are there that health information wasn't | leaked? | | 4. What's the general security position around avionics, marine, | and health data at Garmin? | Spooky23 wrote: | Segmentation is expensive and slows stuff down. Businesses are | bad at segmenting risk. | | I'd expect the avionics and marine stuff to be a little better | due to compliance requirements. | dylan604 wrote: | I don't know. It seems like whenever a company needs to have | data shared, it by default is siloed. Yet when a company | needs siloed/segmented verticals, they are shared with no | boundaries. You rarely hear about companies that have done it | correctly, yet everyone has worked for a company that does it | badly. | interestica wrote: | > Smartwatch maker Garmin has obtained the decryption key to | recover its computer files from a ransomware attack last | Thursday, Sky News has learned. | | Is this really the aspect of their business that they're most | known for now? I still think of them as a GPS/Geolocation device | company. | thelean12 wrote: | GPS smart watches are probably their most successful consumer | product currently. If you glance at their website you might | think that's all that they do. | SimonPStevens wrote: | This title is overly misleading. There is no evidence presented | in the article to even suggest they paid the ransom. And Garmin | declined to comment. | | It's possible they paid, but it's also possible they are just | restoring backups. | NotSammyHagar wrote: | I'm certain they paid, that's why they are making ambiguous | statements. I hope they prosecute them for this payment. An | indirect payment is still a criminal action in my opinion. If | the mafia said they'd burn their building down or kill their | ceo or whatever, and they paid them off through some abstract | indirect transaction it would still be wrong. | | This should make them a direct target now, they will pay you | off. Among many many reasons allowing payments like this will | just encourage these criminals to keep doing this bullshit. | beloch wrote: | If they didn't pay off the hackers and are recovering on their | own, it would be in Garmin's best interests to issue a public | statement explicitly saying so. Failing to do so may make them | a target for other hacker groups. Their vulnerability is now | proven and their willingness to pay strongly suggested. | SkyBelow wrote: | Even if they did pay, wouldn't it still be better to say they | were restoring from backups? Makes them look far less | vulnerable to the attack and they can likely wrap it with | enough PR speak to not be technically lying. Arguably about | as morally troublesome of an act as paying for the ransom. | gruez wrote: | >Even if they did pay, wouldn't it still be better to say | they were restoring from backups? | | Probably because that would be securities fraud? You'd be | essentially duping investors into thinking the company is | better than it is. eg. if there was a fire in your widget | factory and the whole place got destroyed, you can't turn | around and tell investors "everything's fine, the fire | suppression system worked as intended", because you'd be | lying to investors about the state of the company. | exabrial wrote: | I should be able to see all of my locally recorded stuff without | the cloud. | | I was happy that basic functions of my Garmin Venu continued to | work. But some stuff should be cached, or stuff that hasn't been | sync'd should be available locally. | jrockway wrote: | Has there been any discussion about the technical details of the | attack? I am having a hard time imagining how a compromise of a | workstation could result in the entire company -- their own apps, | their call center -- going down for days. I can see how malware | could break production severely ("kubectl delete deployments" | from a trusted workstation). I can see how malware can wipe out | your desktop. I can see how malware could f your cloud | infrastructure account. But I'm not drawing the line to "we can't | build a new release and deploy it on another provider" or "we | can't buy an emergency Dialpad account to start taking calls from | customers". | | My guess is this: two separate attacks occurred. The first attack | involved compromising production, and installed a scheduled job | that, at a certain time, would delete all database backups and | code repositories, deschedule all workloads, delete all DNS | records, etc. The next attack involves the fact that all source | code is on managed workstations, so they compromised the IT | management system to push malware to every machine globally at | the exact same time that would destroy all git repositories | (etc.) on the workstations. The result was that when the | scheduled time occurred, production would crash and there would | be no backups. (They must have wiped all the tapes at their | offsite backup facility, too. I guess anything can be done for a | price!) | | To me, this sounds too complicated to even be feasible. I am | still impressed when I edit some manifest with a new version | number that 90% of the time that code eventually starts running. | Being able to orchestrate a multiday outage just seems amazing to | me, and that you'd make a lot more money being a cloud provider | than a cybercriminal. | | The other thought I had was that maybe they just kept thinking | "we're so close to getting it back" for three days, rather than | saying "everything is lost, revert to backups". | interestica wrote: | The impression I got was that the call centre/apps were taken | down as preventative measure by their own IT dept. It was | probably best for a PR standpoint to keep the call centre | silent rather than having a defacto-inoperable call centre | inundated with calls about the broken service. | james412 wrote: | > I am having a hard time imagining how a compromise of a | workstation could result in the entire company -- their own | apps, their call center -- going down for days | | Can't guess at specifics, but if it's a Windows network, I | would be utterly unsurprised if all users had excess | permissions to shared drives | | Many Windows networks just have a giant X: everyone can write | to, and it's been like that forever, and it's so deeply baked | into everyone's workflow that it never gets fixed | stefan_ wrote: | Is it common practice to have the servers running your | production (not in the manufacturing sense) cloud services | _join the AD domain that has your office staff in it_? Why? | That doesn 't even make any sense from a convenience PoV. | | It just seems like an unfathomable level of incompetence | required to go from compromising some random Windows | workstation all across the hardware that runs your app | services. And lest we forget: a ransomware attack is always | also a massive _data loss attack_. Garmin better get to work | complying with the law and notifying impacted customers (all | of them?). | EvanAnderson wrote: | I would presume that the attacker was able to obtain Domain | Admin / Enterprise Admin rights before they deployed the | payload, then they just steamrolled over everything. | | The one of these that I got called-in to clean up after | literally had a batch file on Domain Controllers w/ a text | file of computer names for a FOR loop launching the malware | on computer-after-computer with "psexec". It was decidedly | non-sophisticated. The attacker compromised a Domain Admin | account and then they were set. | verytrivial wrote: | For the vast majority of users Garmin have ZERO liability re data | retention. They could just say WHOOPS! and zero all accounts and | require everyone to resync. And I would have respected them for | that as they've now sent $10M to these assailants to increase the | sophistication of their attacks and retain/lure/entrap more | skilled developers. But then I'm a bit of a moral absolutist. | | If their financial records were all toast too I wonder what the | fines would have been ... | cafebabbe wrote: | brand reputation is a heck of a liability | ideals wrote: | A few people have commented on the logistics of paying a large | Bitcoin ransom which can entail hiring a 3rd party to pay it. | | Could an independent party buy the decryption keys from the | ransomware party for their asking price then attempt to resell | this to Garmin (or other party) for more money? | | Of course it's a bit game theory because you're depending on the | target to pay and the ransomware attacker to not relinquish and | resell the key to anyone else including the target. | | Ignore the legality of it all else it's not very interesting to | think about. ___________________________________________________________________ (page generated 2020-07-27 23:00 UTC)