{ "id": "75cadeb5-9ee8-4da0-86d5-25e1c0e24bdc", "created_at": "2026-04-06T00:17:09.149724Z", "updated_at": "2026-04-10T13:13:10.056232Z", "deleted_at": null, "sha1_hash": "9f5ee461e12cc7214c884331c87fc4be5327c121", "title": "Garmin outage caused by confirmed WastedLocker ransomware attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2308273, "plain_text": "Garmin outage caused by confirmed WastedLocker ransomware attack\r\nBy Sergiu Gatlan\r\nPublished: 2020-07-24 · Archived: 2026-04-05 13:30:26 UTC\r\n08/01/20 Update: Sources had told BleepingComputer that Garmin paid the ransomware. Today, in a new article we\r\ndescribe how we obtained the WastedLocker decryptor acquired by Garmin and a restoration package created by their IT\r\ndepartment.\r\nWearable device maker Garmin shut down some of its connected services and call centers on Thursday following what the\r\ncompany called a worldwide outage, now confirmed to be caused by a WastedLocker ransomware attack.\r\nGarmin's product line includes GPS navigation and wearable technology for the automotive, marine, aviation, marine,\r\nfitness, and outdoor markets.\r\nhttps://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\n\"We are currently experiencing an outage that affects Garmin.com and Garmin Connect,\" an outage update notification\r\npublished on the company's newsroom says.\r\n\"This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are\r\nworking to resolve this issue as quickly as possible and apologize for this inconvenience.\"\r\nWhile Garmin didn't mention it in their outage alert, multiple flyGarmin services used by aircraft pilots are also down,\r\nincluding the flyGarmin website and mobile app, Connext Services (weather, CMC, and position reports) and Garmin Pilot\r\nApps (Flight plan filing unless connected to FltPlan, account syncing, and database concierge).\r\ninReach satellite tech (Service Activation and Billing) and Garmin Explore (Explore site and Explore app sign) used for\r\nlocation sharing, GPS navigation, logistics, and tracking through the Iridium satellite network are also down.\r\nThe company's Indian branch first tweeted about some servers being shut down due to planned maintenance nine hours ago\r\nthat would limit the performance of the Garmin Express, Garmin Connect mobile, and website.\r\nFour hours later, Garmin's main Twitter and Facebook accounts shared the same outage message (1, 2) about the incident\r\nimpacting Garmin Connect services, including the mobile app and the website, with its call centers also being down due to\r\nthe outage.\r\nGarmin Connect down for maintenance\r\nConfirmed WastedLocker ransomware attack\r\nA source close to the Garmin incident response and a Garmin employee confirmed to BleepingComputer that the\r\nWastedLocker ransomware attacked Garmin.\r\nhttps://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/\r\nPage 3 of 7\n\nA Garmin employee told BleepingComputer that they first learned of the attack when they arrived at their office on\r\nThursday morning.\r\nBleepingComputer was told that the Garmin IT department had tried to remotely shut down all computers on the network as\r\ndevices were being encrypted, including home computers connected via VPN.\r\nAfter being unable to do so, employees were told to shut down any computer on the network that they had access to.\r\nIn a photo of a Garmin computer with encrypted files shared with BleepingComputer, you can see that the .garminwasted\r\nextension was appended to the file's name, and ransom notes were also created for each file.\r\nSource: BleepingComputer\r\nAs part of  this company-wide shutdown, the employee told us that Garmin did a hard shutdown of all devices hosted in a\r\ndata center as well to prevent them from possibly being encrypted.\r\nThis company-wide shutdown is what caused the global outage for Garmin Connect and other connected services.\r\niThome also published a report on a Garmin internal memo earlier about a 'virus' attack affecting the company's internal IT\r\nservers and databases that caused Garmin Taiwan factories to shut down production lines for two days (on July 24 and 25th).\r\nIf you work at Garmin or know someone working there with first-hand information on this incident, you can confidentially\r\ncontact us on Signal at +16469613731.\r\nAfter further research, BleepingComputer found the same WastedLocker ransomware sample used in the attack on Garmin.\r\nAs WastedLocker samples are customized for each target, having access to the sample lets us generate the same ransom note\r\nand encrypted files as seen during the attack.\r\nAs you can see below, files encrypted with this WastedLocker sample append the same .garminwasted extension and create\r\nthe same garminwasted_info ransom note as shown in the photo sent to BleepingComputer by the Garmin employee.\r\nhttps://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/\r\nPage 4 of 7\n\nFiles encrypted using WastedLocker sample from Garmin\r\nSource: BleepingComputer\r\nFurthermore, the ransom notes generated by the sample are addressed to 'GARMIN', as shown below.\r\nGarmin ransom note\r\nSource: BleepingComputer\r\nReports state that the attack started in Taiwan, which coincides with the location of one of the users who uploaded the\r\nsample to VirusTotal.\r\nBleepingComputer was told by one of the sources that the attackers are demanding a $10 million ransom.\r\nBleepingComputer has not been able to verify this amount independently.\r\nEvil Corp's WastedLocker ransomware\r\nhttps://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/\r\nPage 5 of 7\n\nEvil Corp (aka the Dridex gang) is a Russian-based cybercriminal group active since at least 2007 known to be the ones\r\nbehind Dridex malware and for using ransomware as part of their attacks including Locky ransomware and their own\r\nransomware strain known as BitPaymer.\r\nThe U.S. Treasury Department sanctioned evil Corp gang in December 2019 after being charged for using Dridex to cause\r\nmore than $100 million in financial damages.\r\nDue to this, it is a tricky situation for Garmin if they want to pay the ransom as they would potentially be violating United\r\nStates sanctions.\r\nSince then, the hacking group has refreshed their tactics once more and are now again involved in the ransomware\r\n\"business,\" deploying their new WastedLocker ransomware in targeted corporate attacks and asking for ransoms of millions\r\nof dollars.\r\nEvil Corp operators also used WastedLocker ransomware to encrypt systems on Garmin's network, which has led to a\r\nsignificant worldwide outage of multiple services and products, including Garmin Connect, Garmin Explore, Garmin\r\ninReach, and flyGarmin.\r\nLast month, Evil Corp was blocked from deploying WastedLocker ransomware as part of dozens of attacks against major\r\nU.S. corporations, including multiple Fortune 500 companies.\r\nHowever, they did manage to compromise devices used by employees of over 30 major US private firms using fake\r\nsoftware update alerts displayed by the malicious SocGholish JavaScript-based framework delivered through dozens of\r\nhacked U.S. newspaper websites.\r\n07/26/20 Update: Garmin says on a page dedicated to sharing more information about the ongoing outage that they are\r\nworking to restore systems and that no user data was impacted:\r\nWe are working to restore our systems as quickly as possible and apologize for the inconvenience.\r\nAlthough Garmin Connect is not accessible during the outage, activity and health and wellness data collected from Garmin\r\ndevices during the outage is stored on the device and will appear in Garmin Connect once the user syncs their device.\r\nGarmin has no indication that this outage has affected your data, including activity, payment or other personal information.\r\nGarmin also says that inReach SOS and messaging (including the MapShare website and email reply page) were not\r\nimpacted by the outage and they are fully functional.\r\nBleepingComputer has contacted Garmin for more information on this incident, but the mail bounced back as the mail\r\nservers are shut down.\r\nhttps://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/\r\nhttps://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/" ], "report_names": [ "garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434629, "ts_updated_at": 1775826790, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9f5ee461e12cc7214c884331c87fc4be5327c121.pdf", "text": "https://archive.orkl.eu/9f5ee461e12cc7214c884331c87fc4be5327c121.txt", "img": "https://archive.orkl.eu/9f5ee461e12cc7214c884331c87fc4be5327c121.jpg" } }