They confirmed that Garmin had received a decryption key to recover files they had encrypted in the Wasted Locker ransomware attack,media BleepingComputer reported. Garmin suffered a worldwide outage on July 23, local time, and customers were unable to access their connectivity services, including Garmin Connect, flyGarmin, Strava, and inReach solutions.
Bleeping Computer was the first company to confirm that it was attacked by the Wasted Locker ransomware operator after employees shared photos of encrypted workstations.
Later, employees told BleepingComputer that the ransom was $10 million.
Garmin suddenly announced that they were resuming service four days after the service was interrupted, raising questions about whether they were paying a ransom to get a decryption device.
Garmin, however, declined to comment further.
Confirmation: Garmin received a decryption key from WastedLocker.
Today, BleepingComputer acquired an executable file created by Garmin IT to decrypt workstations and then install various security software on the machine.
It is understood that WastedLocker is a ransomware for enterprises, its encryption algorithm has no known weaknesses.
In order to obtain a working decryption key, Garmin must pay a ransom to the attacker. It’s unclear how much ransom was paid, but as previously stated, an employee told BleepingComputer that the initial ransom demand was $10 million.
When the file is unzipped, you can see various security software installers, a decryption key, a WastedLocker decryption, and a script that runs them.
When executed, the recovery package decrypts the computer and then uses security software to prepare the computer for operation.
Garmin’s script contains a “07/25/2020” timestamp, indicating that the ransom was paid on July 24 or July 25.
Using a Sample of WastedLocker from the Garmin attack, BleepingComputer encrypted a virtual machine and tested the decryptor to see if it could decrypt the file. The results show that the decryptor did not have any problems decrypting its files, as shown in the video below:
In the event of a ransomware attack, all companies should follow the general rules for clearing all computers and installing clean images. Reinstallation is necessary because people never know what the attacker changed during the intrusion.
According to the script above, Garmin does not appear to follow this guideline, simply decrypting the workstation and installing security software.