“Evil Corp” hackers strike again, demand $10M to restore Garmin services


American multinational GPS and wearable device maker Garmin Ltd. shut down some of its connected services and call centers on Thursday following what the company called a worldwide outage, widely thought to have been caused by a WastedLocker ransomware attack.

In addition to consumer wearables and sportswear, flyGarmin was also down on Thursday. This is Garmin’s web service that supports the company’s line of aviation navigational equipment.

It is being widely reported that the cybercriminals, Evil Corp, are demanding $10 million dollars. On Sunday, July 26, there was no indication of whether or not the ransom will be paid. All systems still appeared to be locked down at Garmin. 

Signup for the USA Herald exclusive Newsletter

While Garmin didn’t disclose it in their outage alerts, it was reported on the Bleeping Computer website that multiple flyGarmin services used by aircraft pilots also went down. 

WastedLocker ransomware attack shuts down Garmin

Early reports state that the attack started in Taiwan. iThome published a report about a ‘virus’ attack affecting the company’s internal IT servers and databases. 

Garmin Taiwan factories were forced to shut down production lines for two days on July 24 and 25. There is no confirmation that they have returned to work yet.

The company announced on its website that the customer service system, map software updates, is temporarily suspended due to system maintenance. The company-wide shutdown coincides with what seems to be a global outage for Garmin Connect and other connected services.

Garmin has made little public comment on the problem. On Thursday, the company issued a tweet saying “we are currently experiencing an outage that affects Garmin Connect,” adding that the outage “also affects our call centers and we are currently unable to receive any calls, emails, or online chats.”

They have since released a statement confirming they were victims of a cyberattack, but offered assurances that at this time they do not believe customer data was accessed, lost, or stolen.

“Garmin Ltd. was the victim of a cyber attack that encrypted some of our systems on July 23, 2020,” said Garmin, “As a result, many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications. We immediately began to assess the nature of the attack and started remediation.”

Evil Corp’s uses WastedLocker ransomware

BleepingComputer was the first to report that Evil Corp operators used WastedLocker ransomware to encrypt systems on Garmin’s network, which led to a significant worldwide outage of multiple services and products.

Evil Corp is a Russian-based cybercriminal group that has been active since 2007. They specialize in targeted attacks on corporate networks. 

The U.S. Department of Justice (DOJ) charged Russian citizens Maksim V. Yakubets and Igor Turashev for deploying malware for ransomware to commit international bank fraud and computer hacking schemes in November of last year.

The two were charged with conspiracy, computer hacking, wire fraud, and bank fraud in a 10-count indictment,  concerning the distribution of the malware they used to automate the theft of sensitive financial and personal information like banking credentials, as well as for infecting their victims with ransomware in more recent attacks.

The U.S. Treasury Department sanctioned the Evil Corp gang in December 2019 after being charged for using Dridex to cause more than $100 million in financial damages.

At that time, the State Department, in partnership with the FBI, announced a reward of up to $5 million under the Transnational Organized Crime Rewards Program for information leading to the arrest and/or conviction of Yakubets. Unfortunately, all the known affiliates of the Evil Corp are Russian citizens.  

Symantec stops hack attack in June

Symantec previously reported on June 26 that it was able to block Evil Corp from deploying WastedLocker ransomware payloads in attacks against 31 large private companies, including 30 U.S. corporations, including “11 listed companies, eight of which are Fortune 500 companies.”

Evil Corp hackers did manage to compromise devices used by employees of over 30 major U.S. private firms using fake software update alerts displayed by the malicious SocGholish JavaScript-based framework delivered through dozens of hacked U.S. newspaper websites.

Update of Garmin services availability and the ransom demand

Users of many Garmin products had been unable to use their services since Thursday. It seems like some online tools are being returned in a “limited” state, according to its online dashboard.

While Garmin has said it was “the victim of a cyber-attack that encrypted some of our systems.” There has still been no company reference to a ransom demand.

“As our affected systems are restored, we expect some delays as the backlog of information is being processed,” said Garmin. “We are grateful for our customers’ patience and understanding during this incident and look forward to continuing to provide the exceptional customer service and support that has been our hallmark and tradition.”


Have a story you want USA Herald to cover? Submit a tip here and if we think it’s newsworthy, we’ll follow up on it.

Want guaranteed coverage? We also offer contract journalism here.  Just be sure you’re comfortable giving up editorial control, because our journalists are dogged and will follow the story through to it’s conclusion. The story will be published to our exacting standards, without regard for your preferred slant.

Want to contribute a story? We also accept article submissions — check out our writer’s guidelines here.