Garmin mobile app down amid possible ransomware attack

Garmin’s mobile application and services are currently experiencing outages amid reports that the smartwatch and wearables company is suffering from a ransomware attack.

Garmin confirmed on Twitter and its website that its mobile app is down and that it also can’t receive calls, emails, or online chats. Garmin also sent announcements to staff in its Taiwan factories announcing two days of “planned” maintenance for this upcoming weekend, according to reports from iThome, a Taiwanese outlet.

Phil Stokes, a threat researcher at SentinelOne, said the announcement appears to coincide with a WastedLocker ransomware attack against the company. Several Garmin employees likewise alleged that WastedLocker —  a custom ransomware deployed by Evil Corp, a Russian group of criminals known for its Dridex and BitPaymer attacks — was behind the incident, ZDNet reported.

The ransom demands associated with WastedLocker have typically been expensive, according to Malwarebytes, although it was unclear if any demands had been made.

Garmin did not immediately return request for comment on whether the incident is a ransomware attack. CyberScoop could not independently confirm if WastedLocker had targeted Garmin.

‘There are a couple of bad scenarios’

Garmin users may have reason to be concerned about the outages beyond being unable to track their workouts for a few days, as WastedLocker tends to spread through fake software update alerts, Allan Liska, an intelligence analyst at Recorded Future, told CyberScoop.

“There are a couple of bad scenarios. WastedLocker likes to distribute through trojanized software downloads. Garmin has a lot of that, so Garmin could be used as an infection point,” Liska told CyberScoop.

But even if the suspected attackers don’t work to target Garmin users, the repercussions could be damaging, Liska said.

“Even if Evil Corp doesn’t get into the code, they could steal Garmin’s code-signing certs and use them to sign their malware,” Liska said.

Certificates are meant to signify that software comes from a trusted source, but when cybercriminals steal them, they can abuse them in their malware to evade detection under the guise of legitimate software.

Two years ago the cybersecurity of fitness apps came to the fore when Strava inadvertently leaked details about the activity of U.S. military personnel, and Under Armour’s MyFitnessPal suffered a breach affecting 150 million users.

Although it isn’t entirely clear what had caused the outages, there could be one silver lining for Garmin users: Although many ransomware attacks have recently shifted from just encrypting targets’ information and demanding ransom to also stealing sensitive data, WastedLocker has not been known to do that, according to a Malwarebytes analysis. Given the sensitive kind of data Garmin collects on users, such as location data or menstrual cycle information, users may be able to breathe a sigh of relief, for now, on that front.