Smartwatch maker Garmin has obtained the decryption key to recover its computer files from a ransomware attack last Thursday, Sky News has learnt.
Last week, Garmin’s services were taken offline after hackers infected the company’s networks with a ransomware virus known as WastedLocker.
A number of the company’s services were operational again on Monday as the business confirmed the “cyber attack” for the first time, stating: “Affected systems are being restored and we expect to return to normal operation over the next few days.”
Last week, the malicious software encrypted the files on Garmin’s corporate network and demanded a ransom be paid in order for the files to be decrypted, essentially shuttering the firm’s entire business.
Security sources who spoke to Sky News said WastedLocker is believed to be developed by Evil Corp, a hacking group based in Russia which was sanctioned by the US Treasury last December.
The sanctions mean that “US persons are generally prohibited from engaging in transactions” with the cyber criminals, although the US Treasury did not respond to questions about whether the general prohibition applied in the circumstances of extortion.
Sources with knowledge of the Garmin incident who spoke to Sky News on the condition of anonymity said that the company – an American multinational which is publicly listed on the NASDAQ – did not directly make a payment to the hackers.
If a payment was made through a third party it could also be covered by the Treasury sanctions, which warn: “Foreign persons may be subject to secondary sanctions for knowingly facilitating a significant transaction or transactions with these designated persons.”
Any ransom payment would be specific to Garmin, paid using contact details left in a tailored message the virus included alongside the encrypted files, meaning the company could potentially be seen has having engaged in the transaction if it contracted a third party to do so on its behalf.
Garmin’s representatives declined to respond to repeated offers by Sky News to challenge the sources’ claims, stating the company “does not comment on rumour and speculation”.
Last week, the company confirmed to customers that it was “experiencing an outage that affects Garmin Connect”, the service used by owners of the company’s smartwatches to track their running performance and other health and fitness goals.
Garmin’s website, mobile app and customer service call centres were also taken offline as a result of the incident.
A representative for Garmin told Sky News that they did not have any information to share regarding the ransom payment.
They stated: “We are working to restore our systems as quickly as possible and apologise for the inconvenience. Additional updates will be provided as they become available.”
In a statement on Monday, the company said: “We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen.
“Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.”
However, Brett Callow, a cyber security researcher at Emsisoft, told Sky News: “Absence of indication is not indication of absence.”
A growing cyber criminal threat facing companies involves something called post-intrusion encryption, in which the victim’s machines are encrypted after the criminals have stolen data.
This stolen data is then usually leaked piecemeal on the criminals’ “name and shame” websites in order to extort a ransom payment from the victim.
Victims of such extortion have included a US nuclear missile military contractor and foreign exchange company Travelex.
Although stolen information may not be released after a ransom is paid, it could still be held by the criminals and potentially used to target the individuals it belongs to.