Garmin — WastedLocker ransomware

What happened

On 23 July 2020, Garmin’s global services went offline simultaneously. Garmin Connect — the platform that syncs and stores data from Garmin fitness devices used by millions of consumers worldwide — became inaccessible. flyGarmin, which provides aviation navigation database services to commercial and private pilots, went dark. Garmin inReach, the satellite-messaging service relied upon by hikers, sailors, and expedition teams in remote locations, stopped functioning. Garmin’s customer service phone lines and email systems also went down, leaving users with no way to contact support.

Garmin confirmed several days later that a “cyber attack” had caused the outage. The attack was quickly identified by security researchers as WastedLocker, a ransomware strain developed and operated by Evil Corp, a Russian-speaking cybercriminal group with ties to Russian intelligence services. The US Treasury’s Office of Foreign Assets Control had sanctioned Evil Corp in December 2019 following a years-long investigation into the group’s use of the Dridex malware to steal over $100 million from banks and financial institutions worldwide. The sanctions designation of Evil Corp — including its leadership figures Maksim Yakubets and Igor Turashev — created an immediate legal complication for Garmin’s incident response.

The aviation impact was the most operationally significant. Garmin flyGarmin provides Jeppesen navigation database updates to pilots of aircraft equipped with Garmin avionics. Regulatory requirements mean pilots must operate with current navigation databases; during the outage, pilots using Garmin-equipped aircraft faced restrictions on updating flight plans and navigation data. For the commercial aviation sector, this was a compliance and safety concern rather than a trivial inconvenience. The disruption lasted several days before flyGarmin came back online.

Garmin services were restored progressively from 27 July onwards. The company confirmed it obtained a decryption key and attributed the recovery to its “IT teams that worked around the clock.” Garmin has never publicly confirmed paying a ransom or the amount involved.

How it worked

WastedLocker was a custom ransomware strain developed by Evil Corp specifically to replace earlier malware (BitPaymer/DoppelPaymer) after those tools became too well-known to antivirus vendors following the 2019 sanctions. It was deployed in targeted attacks against large enterprises, not distributed broadly, and was typically introduced through a sophisticated infection chain involving SocGholish — a JavaScript-based malware framework that masquerades as a browser update notification on compromised websites. Employees visiting legitimate but compromised websites would be presented with a fake Chrome or Firefox update prompt; executing the fake update downloaded SocGholish, which then installed additional payloads and ultimately gave the Evil Corp operators remote access to the corporate environment.

From that initial foothold, Evil Corp operators would conduct extended manual reconnaissance of the target network, escalating privileges, identifying backup infrastructure, and staging the WastedLocker payload. The group was known for identifying and disabling or destroying backup systems before deploying ransomware, which is what creates the dependency on a decryptor. By the time WastedLocker executed, restoring from backups was either not possible or would have taken far longer than the decryptor-assisted recovery path.

The sanctions dimension was operationally significant. OFAC’s sanctions against Evil Corp meant that any US person or entity paying the group — including through intermediaries if the payment ultimately benefited the sanctioned party — was potentially liable for civil or criminal penalties. Cybersecurity firm Coveware, a specialist ransomware negotiation firm, publicly stated it would not negotiate payments to Evil Corp affiliates. Reporting by Sky News and BleepingComputer indicated that Garmin worked with a third-party intermediary to obtain the decryptor in a transaction structured to try to navigate the sanctions risk; the intermediary was identified in reporting as Arete Incident Response. The mechanism by which an encrypted Evil Corp payment could be legally structured has never been publicly resolved, and OFAC has issued no enforcement action related to the Garmin payment.

Timeline

• Prior to 23 July 2020 — Evil Corp operators gain access to Garmin’s network via the SocGholish infection chain. Lateral movement, privilege escalation, and backup targeting during dwell period.
• 23 July 2020 — WastedLocker deployed across Garmin’s systems. Garmin Connect, flyGarmin, inReach, and customer service systems go offline.
• 24–25 July 2020 — Aviation and fitness customers report widespread service failures. BleepingComputer and others identify WastedLocker as the cause. Garmin confirms “outage” without initially naming the cause.
• 25 July 2020 — Garmin acknowledges a “cyber attack” and states it is assessing the impact.
• 27 July 2020 — Garmin begins restoring services progressively. flyGarmin comes back online.
• 3 August 2020 — Garmin issues a statement confirming full service restoration and that “encrypted data was decrypted,” implying a decryption key was obtained.
• September 2020 — Sky News reports Garmin paid a multi-million dollar ransom via a third-party intermediary; Garmin does not confirm or deny.

What defenders should learn

The WastedLocker infection chain through SocGholish deserves specific attention because it exploits ordinary user behaviour on ordinary websites. Employees were not opening suspicious emails from unknown senders; they were visiting legitimate websites that had been compromised by attackers and shown a fake browser update prompt. This is a delivery mechanism that evades the standard “don’t click suspicious links” training message because nothing about the interaction is superficially suspicious. The practical control is application whitelisting or controlled folder access that prevents user-downloaded executables from running, combined with DNS and proxy filtering that flags the callback infrastructure SocGholish uses once installed.

The backup destruction pattern should be the central architectural lesson. WastedLocker’s effectiveness as a coercive tool depends on the inability to restore from backups. Evil Corp specifically identified and targeted backup infrastructure during the dwell period. The defensive response is offline, air-gapped, or immutable backup storage that cannot be reached from the corporate network even by a domain-admin-level account. Cloud-based backup with immutability enabled, tape-based offline copies, or dedicated backup infrastructure on an isolated network segment all limit the attacker’s ability to eliminate the recovery path.

The sanctions question remains the most unresolved policy issue in ransomware response. The Evil Corp sanctions designation created a situation where the legally cleanest recovery path — not paying — required a technical capability (working backups and a fast rebuild path) that Garmin either did not have or could not execute quickly enough to avoid unacceptable operational impact. OFAC guidance on ransomware payments, updated in 2021, acknowledges that sanctions do not automatically prevent all payments but creates a voluntary disclosure framework that many organisations find inadequate. The gap between what OFAC guidance says and what organisations facing multi-day service outages in critical infrastructure can practically do has not been closed.