Cyber Incident Victim: Garmin

On July 23, 2020, Garmin experienced a global outage disrupting its connected services and call centers, later confirmed as a WastedLocker ransomware attack. The incident began when employees arriving at work discovered systems compromised, with the ransomware actively encrypting devices across the network. Garmin’s IT department attempted remote shutdowns of networked computers, including VPN-connected home devices, but ultimately instructed staff to manually power down accessible systems. As an emergency containment measure, the company executed a hard shutdown of all data center-hosted devices, precipitating widespread service interruptions. Affected systems included Garmin.com, Garmin Connect, flyGarmin services for aviation (website, mobile app, Connext weather/position reporting, and Pilot Apps functionality), inReach satellite service activation/billing, and Garmin Explore’s location sharing and navigation platforms. The attack originated in Taiwan, corroborated by geographic data from a VirusTotal submission of the ransomware sample.

Analysis confirmed the attackers used a customized WastedLocker variant appending the .garminwasted extension to encrypted files and dropping garminwasted_info ransom notes. The ransomware was attributed to Evil Corp, a Russian cybercrime group operating since 2007 and previously linked to Dridex malware. Attackers demanded a $10 million ransom, complicated by U.S. Treasury sanctions prohibiting financial transactions with the group. Despite service disruptions, Garmin confirmed no user data was accessed or exfiltrated. Activity and health data collected by devices during the outage remained stored locally, syncing to Garmin Connect upon service restoration. Critical inReach SOS and messaging functions maintained operation throughout the incident. The company’s infrastructure recovery involved phased reactivation of systems following containment procedures to isolate compromised network segments.