Exclusive

Garmin 'paid multi-million dollar ransom to criminals using Arete IR', say sources

The smartwatch maker had been targeted by ransomware which some researchers believe is created by sanctioned criminals.

Alexander Martin

Technology reporter @AlexMartin

Monday 3 August 2020 12:52, UK

BERLIN, GERMANY - JULY 25: The Garmin Connect software, unsuccessfully attempting to contact the company's servers, is seen on a mobile phone in this photo illustration on July 25, 2020 in Berlin, Germany. GPS and wearable device company Garmin said a widespread blackout, now in its third day, has left its fitness devices, website and call centers offline in what may be a ransomware attack. (Photo by Adam Berry/Adam Berry/Getty Images)
Image: Garmin 'paid a multi-million dollar ransom', sources have told Sky News
Why you can trust Sky News

Smartwatch maker Garmin paid a multi-million dollar ransom to criminals who encrypted its computer files through a ransomware negotiation business called Arete IR, sources have told Sky News.

Earlier this week Sky News reported that Garmin had obtained the decryption key to recover its files from the WastedLocker virus.

Security sources believe this virus has been developed by individuals linked to Evil Corp, a cyber crime group based in Russia that was sanctioned by the US Treasury last December.

Please use Chrome browser for a more accessible video player

Supercars and a lion cub: Evil Corp's riches

According to people with knowledge of the matter, speaking to Sky News on the condition of anonymity, Garmin had initially sought to pay the ransom using another firm which specialises in responding to these incidents.

However, this firm responded that it didn't negotiate ransom payments in WastedLocker cases due to the risk of running foul of the sanctions.

The sources said after being initially rebuked, Garmin then sought the services of Arete IR, a firm which claims that the links between the WastedLocker ransomware and sanctioned individuals have not been proven.

According to Garmin its systems were hit by the virus on Thursday 23 July. On Friday 24 July, Arete tweeted a study on its website which disputed research attributing WastedLocker to Evil Corp, citing inconclusive evidence.

More from Science & Tech

The criminals began developing the ransomware after the sanctions were issued, and so it is not mentioned specifically in the US Treasury's sanction notice.

The US government has not yet made a public attribution linking WastedLocker to the sanctioned individuals.

The sanctions mean that "US persons are generally prohibited from engaging in transactions" with the 17 individuals and seven business entities tied to Evil Corp, even in cases of extortion.

Arete published claims the ransomware was not connected to Evil Corp the day after the attack
Image: Arete claimed the ransomware is not connected to Evil Corp

Sources with knowledge of the incident told Sky News that Garmin - an American multinational which is publicly listed on the NASDAQ - did not directly make a payment to the hackers.

Separate sources confirmed to Sky News that Arete IR made the payment as part of its ransomware negotiation services, although Arete argues that WastedLocker is not conclusively the work of Evil Corp.

Neither Garmin nor Arete IR disputed that the payment was made when offered the opportunity to do so.

A representative for Arete told Sky News they could not comment regarding Garmin, stating: "Arete has contractual confidentiality obligations to all clients and therefore cannot discuss any client identity or interactions."

Regarding the allegation that the operators of WastedLocker are covered by US sanctions, they added: "Arete follows all recommended and required screenings to insure compliance with US trade sanctions laws."

Garmin told Sky News it had no additional comment to make.