> If a payment was made through a third party it could also be covered by the Treasury sanctions, which warn: "Foreign persons may be subject to secondary sanctions for knowingly facilitating a significant transaction or transactions with these designated persons."
I accidentally took a phone call for a job that basically involved using Bitcoin to launder money to send ransom payments to terrorists. They told me that although it's technically illegal, the U.S. government has never prosecuted anyone for paying a ransom. I noped out after the first phone call for obvious reasons, but it was pretty interesting just to learn about the industry.
Anyway when Garmin says they didn't pay the ransom themselves, they are telling the truth, instead they would have used this company or one of their competitors. You can't just open a Coinbase Pro account and buy 10 million BTC and transfer it your first day. No bank is going to allow you to do that, since they would then be liable for facilitating that transaction. Instead you need to contract with a company that specializes in ransom payments and has already accumulated the crypto in advance. Then you pay them a percentage for their services.
Weird. I would think that while it's not worth the government's time to go after individual companies paying off ransoms, it would definitely be worth their time to go after a business professionally focused on paying illegal ransoms who tell interview candidates that they are aware that what they do is illegal.
Maybe, maybe not. It's technically illegal to grow or possess any amount of weed, but in practice you don't get prosecuted (by the feds) unless you have over 100 plants or thousands of pounds. Until ~2004 it was illegal for native Americans to be within Boston city limits.
There are thousands of things that are illegal, but in practice are rarely or ever prosecuted, even in cases where people are violating those laws at pretty significant scales.
In my case that's not a risk I'd be willing to take, but I can see why other people would. The reason it's not prosecuted though isn't because of companies, it's because there are lots of wealthy people who travel overseas and then get kidnapped, and the government isn't going to prosecute their families for paying to not have their kids dismembered and the videos posted on YouTube. The reason companies aren't prosecuted is mainly because once you decide not to prosecute families for doing this, then anyone else can make an equal protection argument.
I think you may be writing from a perspective of privilege and in the current civil unrest climate, this may seem a little tone-deaf. We're experiencing nationwide protests because a black person tried to buy cigarettes with a fake $20 bill, and he was murdered.
Perhaps things like your age, gender, and wealth may be insulating you, allowing you to think, "these laws don't actually apply to me", and if they did, you could most likely hire a lawyer and fight it.
Many people in this world cannot. Think about how many people are incarcerated for weed-related "crimes". Just because no one is going to go after YOU for them, doesn't mean that these laws don't serve a purpose to screw over others not so fortunate.
Anyways, not to pick on you specifically - I obviously don't know a whole lot about you, but your reply irked me a bit. Cheers.
I believe you are tilting at a windmill that doesn't exist. OP specifically stated that they didn't take the job because they didn't think it was worth the risk. OP didn't bring up their background. Do you have some information about him/her that the rest of us don't have that would back up your accusation of privilege?
I specifically said I didn't take the consulting gig because I didn't think it was legal, and I wouldn't ever start a commercial grow op for the same reason. So not sure your comment really follows.
Objectively neither activity is probably super high risk, but I still wouldn't be willing to take on either of those risks myself.
I was specifically commenting on this wide-sweeping generality:
There are thousands of things that are illegal, but in practice are rarely or ever prosecuted, even in cases where people are violating those laws at pretty significant scales.
"rarely or ever prosecuted" for you. You are on the advantageous side of a system that isn't that way on happenstance. Let's take your startup. How easy would it be for a black-owned startup in the US to raise VC funds in comparison to a white-owned startup? How easy is it to get... well any sort of loan if you're a black person, compared to a white person? How many black-owned banks are there that cater specifically to black businesses of any size?
The perspective that there are “thousands of things that are illegal” but not prosecuted always fascinates me, that’s not at all a common perception e.g. here in Germany. Is that a difference between common law and civil law systems? Maybe in places where code law is mostly binding, there’s a lot more pressure on the legislature to keep the law books up to date with the current norms of society.
Personally I see a big difference in the philosophy of lawmaking in the US vs Germany. Take driving, for instance. In the US, almost anyone who can physically climb behind the driver's seat of a car can get a drivers' license, and indeed having a drivers' license in the US is almost a fundamental right. Speed limits are then set, to first order, to accommodate the fact that you have marginal drivers behind the wheel. In addition, the police can - and do - selectively enforce driving laws. Ideally that power would be used to keep truly bad drivers off the roads, although the current civil unrest in America shows that that selective enforcement is, to put it mildly, abused.
In Germany, the barrier to getting a drivers' license is much higher. More training, more stringent tests. But the effect of that is that drivers are (mostly) assumed to be able to adapt their driving to road conditions; as a consequence, you get unlimited legal driving speeds on part of the German road system. In good weather, traffic permitting.
Of course, there are confounding facts: in my experience the average physical state of a car is much better in Germany than the US, and highways are better maintained. But still, the contrast is interesting. In the US, lifting speed limits on even straight roads through the desert would have poor outcomes.
I can only speak from my layman's understanding of US law. In the US, there's a doctrine prosecutorial discretion. Basically the police and prosecutors can choose whether to arrest and charge someone for a crime.
> "Maybe in places where code law is mostly binding, there’s a lot more pressure on the legislature to keep the law books up to date with the current norms of society."
In the US, where everything is so entwined with politics, there's a lot unenforceable laws still on the books.
For example, the US Supreme Court struck down sodomy laws in 2003. Last I checked, Texas still has a law on the books criminalizing sodomy. Sure Texas can't enforce it, but the conservative majority in the legislature won't actually repeal the law because politics. Similarly, when the US Supreme Court ruled that banning same-sex marriage was unconstitutional, Texas had to recognize same-sex marriage. But there was no law allowing same-sex couples to divorce. So there was this weird limbo wherein you couldn't get divorced if you were in a same-sex marriage.
There's a difference between laws that exist but are rendered moot by a court ruling it unconstitutional, and laws that exist and are constitutional but are just never used, and laws that exist, and are probably not constitutional, but aren't used, so have never been challenged.
For all intents and purposes sodomy was made legal by the 2003 precedent; that those laws are still technically in black-and-white doesn't mean they're in force.
But there are lots of laws that are still in force but aren't actually picked up and used much. They're still there, though. For instance, hardly anyone was prosecuted for Espionage Act violations for decades, but nobody disputes that the DoJ can dust that law off and start using it again, subject to the current jurisprudence on free speech etc.
In Germany it's currently illegal for someone to leave an escooter outside of a designated parking space. How many of them have you seen just laying around? I know in Mainz I've seen dozens.
Just saying, there's plenty of laws here that aren't prosecuted either.
It partly can be explained through white privilege, as the law enforcement and judicial systems are designed systemically to screw over minorities. Racial profiling is a thing, and if you're black, a police officer can use whatever excuse they want to pull you over while driving, and if they can't find anything, they'll invent something (for example: planting drugs on you). When that happens, you're life is literally in danger. Many examples of this can be found - one just has to look at the racial makeup of the US prison system (systemic slavery). It goes really deep. The US is kind of in a state of being acknowledging this in a fundamental way, with the movement to defund the police.
Basically, many laws overlap and it isn't always clear what applies. A new law may pass but they don't go strike through all the old laws that no longer apply.
Also there are laws that reference other country's laws. An example is that is (or was) illegal to buy/posses a type of meat in the US that is illegal in other jurisdictions. This was made to protect endangered animals but can easily apply to everything as there are lot of jurisdictions and who really knows if any one of them currently doesn't allow pork or beef for whatever reason.
In Germany it seems as if something is outlawed then it is believed that thing physically can’t be done. In the United States, we take it as a challenge!
Yes, laws are selectively enforced in many jurisdiction. For instance a local sheriff might choose to not enforce state or federal law when he sees it being broken. A local prosector can also choose to just not prosecute cases of a certain type as well. This is one reason why Americans are currently protesting our law enforcement, selective enforcement can make life difficult.
The perspective that there are “thousands of things that are illegal” but not prosecuted always fascinates me, that’s not at all a common perception e.g. here in Germany
It's definitely my perception in Berlin. There is almost no police, prosecutors and courts are completely understaffed.
I can think of an example in New Zealand where an old law (Sedition) was essentially ignored for several decades. A couple years after its first use in a modern setting (early 00's) it was repealed.
>It's technically illegal to grow or possess any amount of weed
Federally. The states have made this all higgledy-piggledy. And since there's money (legit retail income and state sales tax) involved, I'm surprised we don't have more federal troops kicking down more retail establishment doors.
Federal law has changed on this matter and the federal government is prohobited from interfering with states medical marijuana laws including a complete prohibition on prosecution.
It's a pretty legit business model; just because it's illegal doesn't necessarily mean the government wants to go after them. "Focused on paying illegal ransoms" = "allows companies to recover from devastating attacks by being a middle-man for paying the extortion fee and getting the decryption keys". It's probably one of those things that the government tells people not to do, but acknowledges is inevitable in many cases.
A company I worked at once had a meeting with such a firm, and it all sounded pretty reasonable to me. Obviously, one would hope the company has backups (which are stored in a place that can't itself become encrypted), but if they don't, sometimes the cost of paying the ransom is far, far lower than the cost of staying down. These middle-man firms have probably saved companies from enormous amounts of damage. Another commenter claimed these companies are often in cahoots with the ransomers, which maybe is sometimes true, but I highly doubt it in the case of the company we dealt with, or other US-based companies with physical locations that meet on-site.
Of course in an ideal world no one wants to reward criminals, but just to give an extreme example, if someone kidnapped one of your children and held them hostage, you'd probably pay anything to get them back, and that's not far off from the situation some ransomware-affected companies end up in.
> Of course in an ideal world no one wants to reward criminals, but just to give an extreme example, if someone kidnapped one of your children and held them hostage, you'd probably pay anything to get them back, and that's not far off from the situation some ransomware-affected companies end up in.
That's an appeal to emotion though while a company can do a cost-benefit analysis.
Also, if you pay for your children that means you signal that the kidnapping business model is viable and thus endanger more children. If the government keeps you at gunpoint from paying for your children then yes, in the worst case a bunch of children might die, but the business model would die with them.
No, in the worst case the government would shoot the parents of kidnapped children, and lose its legitimacy in the eyes of the people who it governs. There's no case in which a government would be able to continue to do that with impunity until enough children die to convince every potential kidnapper that kidnapping is a hopeless business.
Right, which is why this is always done as part of a cost-benefit analysis. Sometimes the cost of not paying is far greater.
And yes, paying the ransom signals that hostage-taking can be profitable, but not paying it signals that you value crime prevention over the lives of your children, which isn't necessarily a reputation or circumstance you want, especially when they'll very likely end up brutally murdered.
A company that decided principle-based crime deterrence was more important than granting customers access to any of their funds for 6 months would probably go out of business quickly. Also, try using that argument when talking to people who live in areas largely run by organized crime.
When most of them are from a little connected with the hackers to basically the same people and live off of ransoms I wouldn't use words like Pretty legit. I'm sure the exact business you have worked with is very different, in your opinion. I'm also sure everyone says that. I doubt a single of these businesses exists that isn't connected to hackers at all. How about a name if you are sure and we'll see?
What are you basing any of this on? Can you show a single example of an American company that this applies to? The onus is on you to substantiate the claim in the first place, not on me to prove innocence.
Paying ransom is illegal in some jurisdictions because it’s seems to be the easy way to prevent ransoms if it works or not I don’t know.
Ransom works when the target is capable and has sufficient incentive to pay out, if you make it so that you’ll face jail time as a CEO who orders a ransom to be paid out it’s quite likely might reduce acts of ransom.
I know that there is grey area that is common in the energy and global construction sectors where companies might not be able to pay ransom legally essentially have a ransom insurance so when 3 of your workers get kidnapped in Djibouti you have your “insurance company” which also often facilitates negotiations, extraction and repatriation handle the case.
(This is also common for other reasons, especially liability reduction if something goes wrong the company can wash their hands of the case and send the families after the “insurance provider”.)
There is also the grey area of “private emergency services” which range from private medevac on standby to assault teams capable of executing asset recovery missions some even take pride of being able and willing to perform prison breaks.
> They told me that although it's technically illegal, the U.S. government has never prosecuted anyone for paying a ransom
If I was going to take a job doing something that is illegal, I think I might prefer one where the government has prosecuted people. Then I could look at those cases and see what people got off with just probation, which got light sentences, which got harsh sentences, what kind of plea deals were offered. Then I could at least have a decent chance of figuring out if the pay and benefits are worth the risk.
If they haven't prosecuted anyone (and this is not a line of work that has been around for a very long time), I'd worry that they just haven't gotten around to it yet, and I could end up being the first. Being first could be very bad, because they might be pushing for a harsh sentence to discourage others or encourage people prosecuted later to take plea bargains.
Funny enough, back when ransomware was simpler and used the same encryption key, we managed to recover one place by using Memory Forensics on a fucked machine.
I wonder if extracting the key, decrypting the files to not pay $100,000 in BTC would be illegal in some way.
I remember reading a fascinating article on the nature of the companies that deal with ransomware. I think it was this one.
The TLDR is that these middleman companies allow ransomware victims to both pay the fine and save face, by acting as if they didn't pay the fine. The perpetrators prefer to deal with the middlemen as they know how to pay in crypto, and are predictable - the middleman and the hackers are closer to partners than adversaries.
Somehow you missed to mention the part where the middlemen put up a slow claiming to do it by computer forensics and cryptoanalysis, supplying deniability to those who do want to pay and fooling those who don't.
I'm curious, when you say terrorist, do you mean groups like Evil Corp (mentioned in the article), or do you mean groups of more "traditional" terrorists funding themselves via malware?
Edit: Or were the ransomware payments at hand not even malware related, but more "traditional" ransoms?
I don't think that it is illegal to pay a ransom in general under US law. It is illegal to receive a ransom, though.
As mentioned in the article, they are caveats related to terrorism and to dealing with entities on sanctions lists.
Now, if Garmin obtained the decryption keys, as is alleged in the article, it is clear that they paid. Note that the 'anonymous sources' cited did not even deny payment but only used a weasel turn of phrase 'did not directly make a payment', which is quite different from 'did not pay'. My best guess, if a payment was made, is that they hired people experts in dealing with these situations who arranged everything and who will bill for 'consulting services'...
If I handed you $110 to go buy $100 of drugs, then I'm still paying for the drugs. What judge would be willing to allow such a gotcha to actually pass? There would be a massive industry for legally paying for illegal things if that were the case.
Then again, the acceptability of a gotcha seems to correlate more with the amount of money spent on lawyers than on the rationality of the gotcha, so as long as they have a large enough legal department the worse they'll have is a fine that they likely already included in the cost of the attack.
It's not clear to me from the article that Garmin did in fact get the decryption key. There's enough verbiage suggesting they didn't pay the ransom, so are we to assume they had other means?
It also took Garmin quite awhile to acknowledge the ongoing situation formally (their outage page has been accurate with red lights across the board). Could it be that Garmin just started to spin up more hardware and began a migration of their last backups? (I'm so far removed from how their service operates so apologies if this sounds impractical)
Migrating to backups seems possible. Garmin is pretty complex in that it produces hardware and software across a few verticals, but I don't think there's anything that makes them particularly unique in the way they'd handle backups/failover.
I think it's also possible that Garmin proactively pulled the plug on their public-facing services in order to mitigate the spread of the attack. It would be _really_ bad if the attackers could make the hop from Garmin's web services to consumer devices.
I'd be curious to know what all was actually impacted by the ransomware. It sounds like they shutdown all their services in order to assess the damage.
Maybe this only affected their corporate infrastructure or manufacturing infrastructure. Looking through my connect account I don't see any missing data that would point to a backup old enough to not be encrypted. My watch does store some information offline so it could be that any gaps have already been filled in or it could be that connect was encrypted and has since been decrypted.
> There's enough verbiage suggesting they didn't pay the ransom
It says they "did not directly make a payment to the hackers". You can't just take 10mil and convert it to bitcoin. My best guess is that a 3rd party made the payment and garmin will be reimbursing
They might have paid one of those ransomware subcontractors who claim to solve the problem on a technical level while they actually just pass on the money they are paid after taking a cut. This could have happened both knowingly (on Garmin's side) and not.
The NSA most certainly has the keys, and inshallah I hope that's the case - our nerds better be better than their nerds. I just think they don't want make our defensive capabilities public. But the many billions per year going to NSA better show some results. Maybe our great Chamber of Commerce can insist on making the NSA's great work and capability available to the Western market forces so key to the current prosperity we all enjoy.
Assuming the ransomers aren't completely incompetent and are using 256-bit or even 128-bit AES, why would you assume that "the NSA most certainly has the keys"?
They might be good but they aren't good enough to randomly crack AES.
If they didn't pay off the hackers and are recovering on their own, it would be in Garmin's best interests to issue a public statement explicitly saying so. Failing to do so may make them a target for other hacker groups. Their vulnerability is now proven and their willingness to pay strongly suggested.
Even if they did pay, wouldn't it still be better to say they were restoring from backups? Makes them look far less vulnerable to the attack and they can likely wrap it with enough PR speak to not be technically lying. Arguably about as morally troublesome of an act as paying for the ransom.
>Even if they did pay, wouldn't it still be better to say they were restoring from backups?
Probably because that would be securities fraud? You'd be essentially duping investors into thinking the company is better than it is. eg. if there was a fire in your widget factory and the whole place got destroyed, you can't turn around and tell investors "everything's fine, the fire suppression system worked as intended", because you'd be lying to investors about the state of the company.
Often what will happen in a large company is that security practices are strengthened in the short term, then people looking for cost cutting measures undo the changes a couple of years later, and the manager responsible might even get a bonus for improving the ops margin (hopefully transferring to another position before the next attack hits).
I'm certain they paid, that's why they are making ambiguous statements. I hope they prosecute them for this payment. An indirect payment is still a criminal action in my opinion. If the mafia said they'd burn their building down or kill their ceo or whatever, and they paid them off through some abstract indirect transaction it would still be wrong.
This should make them a direct target now, they will pay you off. Among many many reasons allowing payments like this will just encourage these criminals to keep doing this bullshit.
I don't want to live in a country where the government prosecutes victims of crimes instead doing its primary duty of national defense against foreign attackers.
That sounds great in theory, don't prosecute victims of crimes. The govt. must go after these people, regardless of victimization. Yet if the victim encourages more dangerous actions and the 'victim' was a billion dollar corporation they can afford it. It shouldn't be legal to pay off mafia threats, and that's what this basically is.
Who is the victim in prostitution (where no one was trafficed), how about if I buy pot, who is the victim where it's illegal? That theoretical vision of how you want society to work is not matched by the reality of the US.
Has there been any discussion about the technical details of the attack? I am having a hard time imagining how a compromise of a workstation could result in the entire company -- their own apps, their call center -- going down for days. I can see how malware could break production severely ("kubectl delete deployments" from a trusted workstation). I can see how malware can wipe out your desktop. I can see how malware could f your cloud infrastructure account. But I'm not drawing the line to "we can't build a new release and deploy it on another provider" or "we can't buy an emergency Dialpad account to start taking calls from customers".
My guess is this: two separate attacks occurred. The first attack involved compromising production, and installed a scheduled job that, at a certain time, would delete all database backups and code repositories, deschedule all workloads, delete all DNS records, etc. The next attack involves the fact that all source code is on managed workstations, so they compromised the IT management system to push malware to every machine globally at the exact same time that would destroy all git repositories (etc.) on the workstations. The result was that when the scheduled time occurred, production would crash and there would be no backups. (They must have wiped all the tapes at their offsite backup facility, too. I guess anything can be done for a price!)
To me, this sounds too complicated to even be feasible. I am still impressed when I edit some manifest with a new version number that 90% of the time that code eventually starts running. Being able to orchestrate a multiday outage just seems amazing to me, and that you'd make a lot more money being a cloud provider than a cybercriminal.
The other thought I had was that maybe they just kept thinking "we're so close to getting it back" for three days, rather than saying "everything is lost, revert to backups".
> I am having a hard time imagining how a compromise of a workstation could result in the entire company -- their own apps, their call center -- going down for days
Can't guess at specifics, but if it's a Windows network, I would be utterly unsurprised if all users had excess permissions to shared drives
Many Windows networks just have a giant X: everyone can write to, and it's been like that forever, and it's so deeply baked into everyone's workflow that it never gets fixed
I would presume that the attacker was able to obtain Domain Admin / Enterprise Admin rights before they deployed the payload, then they just steamrolled over everything.
The one of these that I got called-in to clean up after literally had a batch file on Domain Controllers w/ a text file of computer names for a FOR loop launching the malware on computer-after-computer with "psexec". It was decidedly non-sophisticated. The attacker compromised a Domain Admin account and then they were set.
> Many Windows networks just have a giant X: everyone can write to, and it's been like that forever, and it's so deeply baked into everyone's workflow that it never gets fixed
I've seen this too, and you need to be vigilant with what accesses these kinds of resources (basically anybody with write access to these shares also has execute access to any accounts executing from that share).
Is it common practice to have the servers running your production (not in the manufacturing sense) cloud services join the AD domain that has your office staff in it? Why? That doesn't even make any sense from a convenience PoV.
It just seems like an unfathomable level of incompetence required to go from compromising some random Windows workstation all across the hardware that runs your app services. And lest we forget: a ransomware attack is always also a massive data loss attack. Garmin better get to work complying with the law and notifying impacted customers (all of them?).
If there's one thing I've learned in the computer industry, it's that there is no such thing as an unfathomable level of incompetence. All levels of incompetence are not only fathomable, but repeatedly demonstrated. It's amazing that anything works at all.
Taking all our services down this hard would require enormous efforts in coordination, potentially months of preparation to make sure it would execute satisfactory.
I think occam must be at work here. There must be some simpler reason why this attack is such a disaster.
The impression I got was that the call centre/apps were taken down as preventative measure by their own IT dept. It was probably best for a PR standpoint to keep the call centre silent rather than having a defacto-inoperable call centre inundated with calls about the broken service.
There's nothing definitive that says they paid the ransom or obtained the decryption key from the attackers. Rumors on Twitter say that they're rebuilding services from backups and slowly getting things back online
Ex Garmin employee here. Some of their infrastructure supports emergency response. Hard to know how much of what went offline, but if /that/ goes down, people die. On-call was not fun.
supposedly inReach wasn't included in the down time? Wonder if due to better infra or just highly (and rightfully so) prioritized once things went south
Checking https://status.inreach.garmin.com/ (oh the memories) Looks like the meat and potatoes held together! I'd credit segregated infrastructure and redundancy.
Ah, that would probably explain it. I was wondering if the actors wanted to avoid touching services that could impact peoples lives, due to that potentially leading to more motivated investigations. Possibly, but also could just be that it is largely a hardware front-end for Iridium's service.
The outage took out at least some of their aviation services. If they are unable to update routes and IFR approach procedures then lives could indeed be at risk.
Not quite. The onus is on the pilots to never fly with out-of-date navigation information (it's actually illegal), so if they can't get that from Garmin, they'd just have to get it from somewhere else instead. Garmin's data services being unavailable isn't endangering anyone.
They don't. Garmin's cloud services supply map/chart data updates and backend services for their mobile app (which is separate from installed avionics) to support flight planning functionality.
I wonder if going after such a well known target was a mistake since once the news leaked out it put Garmin in a position where it would be much harder for them to pay the ransom. I wonder if their chances of success are higher by going after a larger number of lesser known and less valuable targets who may not garner the attention nor have the IT staff to deal with the issue.
For the vast majority of users Garmin have ZERO liability re data retention. They could just say WHOOPS! and zero all accounts and require everyone to resync. And I would have respected them for that as they've now sent $10M to these assailants to increase the sophistication of their attacks and retain/lure/entrap more skilled developers. But then I'm a bit of a moral absolutist.
If their financial records were all toast too I wonder what the fines would have been ...
I should be able to see all of my locally recorded stuff without the cloud.
I was happy that basic functions of my Garmin Venu continued to work. But some stuff should be cached, or stuff that hasn't been sync'd should be available locally.
I want to say that previous versions of Garmin connect did have the data locally, such that you could see your runs or activities without being connected to the Garmin services.
The present version of Garmin connect does nothing if you are not connected to Garmin servers. E.g. you can't see your activities, your data or anything else.
When this change occurred, I remember that it annoyed me greatly. Why not have some local data cached on your phone? Other apps seem to manage that no problem. If you'd have no internet access, you could at least still use the app to see your activities and sync them later.
This seems so obvious to me that I have trouble understanding why they chose the current route.
Of course, it's still not a total disaster. Garmin devices still work and track, you can still view the data on them, and they usually plug in as a USB drive anywhere so you can upload the data manually.
Still, for smartwatch users, this could have been a really minor inconvenience rather than what it is now.
I'm quite surprised that people seem kind of ok with the idea of ransomware. It's a horrible, criminal corrupt practice and it's destructive to pay or participate in anything to do with this.
You want to know if Garmin pushed malware/ransomware via its app onto 1 million smartphones? The apps seem to have been last updated July 21, and Garmin's systems were locked July 23, so.... ?
I don't know. It seems like whenever a company needs to have data shared, it by default is siloed. Yet when a company needs siloed/segmented verticals, they are shared with no boundaries. You rarely hear about companies that have done it correctly, yet everyone has worked for a company that does it badly.
It's their absolute boom segment right now, dwarfing the revenue of all others. Somehow the Apple watch made a lot of people who'd rather wear a Garmin suddenly think that it's perfectly fine to wear an absurdly expensive GPS watch. Garmin has succeeded in establishing a price range where the Apple offering would barely make the upper third.
I feel seen by this comment! TBF, I already had a Garmin GPS watch that I bought circa 2006 (one of their first I believe) for tracking my runs. When it came time to upgrade I compared it to the Apple watch. And you're right. I definitely decided I'd much rather spend that much money on something with a 12yr upgrade cycle vs the 2-4 year cycle on many of my Apple devices.
What I've found most surprising is I have young children, and having a Garmin activity tracker watch (seems to be not much more than a step counter) has become the thing every 6yo is expected to have these days. We've avoided it so far, but from speaking to parents with children at neighboring schools they're nearly ubiquitous in the youngest year levels now.
They and many competitors offer models in every price range, starting at 50$. Of course they will also offer very high end devices with features you won't find on an Apple watch.
I'm pretty sure the 200$ model has features that Apple doesn't have. One is primarily a lifestyle product and the other is primarily focused towards athletes. Both brands overlap with some products but I wouldn't say they found a way to really get their foot into others' market.
GPS smart watches are probably their most successful consumer product currently. If you glance at their website you might think that's all that they do.
I was confused by the use of "sanctioned" in the byline. They meant it mean "had sanctions imposed", but I understood it as "given permission" which set the article in a completely different tone. What an odd word.
Does US or other western country ever retaliate? It seams to me that Russia and China keep attacking as and we do nothing. Was vkontakte ever taken down? What would happen if an US hacker group "independent" of NSA would attack a Russian company?
A few people have commented on the logistics of paying a large Bitcoin ransom which can entail hiring a 3rd party to pay it.
Could an independent party buy the decryption keys from the ransomware party for their asking price then attempt to resell this to Garmin (or other party) for more money?
Of course it's a bit game theory because you're depending on the target to pay and the ransomware attacker to not relinquish and resell the key to anyone else including the target.
Ignore the legality of it all else it's not very interesting to think about.
More likely scenario: the attackers demand 10 mil knowing that 10 would be an unlikely best case scenario and a more likely outcome would be something like 2 mil, passed on on exchange for the keys by a cooperating fake computer forensics firm that claims to be able to restore the data without paying the attackers. For only 3 mil, an absolute bargain. The victim would pay the 3 mil, either falling for the show or claiming to be falling for the show.
I accidentally took a phone call for a job that basically involved using Bitcoin to launder money to send ransom payments to terrorists. They told me that although it's technically illegal, the U.S. government has never prosecuted anyone for paying a ransom. I noped out after the first phone call for obvious reasons, but it was pretty interesting just to learn about the industry.
Anyway when Garmin says they didn't pay the ransom themselves, they are telling the truth, instead they would have used this company or one of their competitors. You can't just open a Coinbase Pro account and buy 10 million BTC and transfer it your first day. No bank is going to allow you to do that, since they would then be liable for facilitating that transaction. Instead you need to contract with a company that specializes in ransom payments and has already accumulated the crypto in advance. Then you pay them a percentage for their services.