If they didn't pay off the hackers and are recovering on their own, it would be in Garmin's best interests to issue a public statement explicitly saying so. Failing to do so may make them a target for other hacker groups. Their vulnerability is now proven and their willingness to pay strongly suggested.

Even if they did pay, wouldn't it still be better to say they were restoring from backups? Makes them look far less vulnerable to the attack and they can likely wrap it with enough PR speak to not be technically lying. Arguably about as morally troublesome of an act as paying for the ransom.

>Even if they did pay, wouldn't it still be better to say they were restoring from backups?

Probably because that would be securities fraud? You'd be essentially duping investors into thinking the company is better than it is. eg. if there was a fire in your widget factory and the whole place got destroyed, you can't turn around and tell investors "everything's fine, the fire suppression system worked as intended", because you'd be lying to investors about the state of the company.

Investors don't get to see trade secrets. They obviously restored some backups even if they paid random via a reputation laundering company.

Well, if they didn’t have good DR before, you can bet they will now. An ounce of DR planning is worth a pound of the ransomware cure :)

This is a logical conclusion, big dumb inc are rarely logical. One can hope.

Often what will happen in a large company is that security practices are strengthened in the short term, then people looking for cost cutting measures undo the changes a couple of years later, and the manager responsible might even get a bonus for improving the ops margin (hopefully transferring to another position before the next attack hits).

I'm certain they paid, that's why they are making ambiguous statements. I hope they prosecute them for this payment. An indirect payment is still a criminal action in my opinion. If the mafia said they'd burn their building down or kill their ceo or whatever, and they paid them off through some abstract indirect transaction it would still be wrong.

This should make them a direct target now, they will pay you off. Among many many reasons allowing payments like this will just encourage these criminals to keep doing this bullshit.

I don't want to live in a country where the government prosecutes victims of crimes instead doing its primary duty of national defense against foreign attackers.

That sounds great in theory, don't prosecute victims of crimes. The govt. must go after these people, regardless of victimization. Yet if the victim encourages more dangerous actions and the 'victim' was a billion dollar corporation they can afford it. It shouldn't be legal to pay off mafia threats, and that's what this basically is.

Who is the victim in prostitution (where no one was trafficed), how about if I buy pot, who is the victim where it's illegal? That theoretical vision of how you want society to work is not matched by the reality of the US.