Smartwatch maker Garmin paid a multi-million dollar ransom to criminals who encrypted its computer files through a ransomware negotiation business called Arete IR, sources have told Sky News.
Earlier this week Sky News reported that Garmin had obtained the decryption key to recover its files from the WastedLocker virus.
Security sources believe this virus has been developed by individuals linked to Evil Corp, a cyber crime group based in Russia that was sanctioned by the US Treasury last December.
Supercars and a lion cub: Evil Corp’s riches
According to people with knowledge of the matter, speaking to Sky News on the condition of anonymity, Garmin had initially sought to pay the ransom using another firm which specialises in responding to these incidents.
However, this firm responded that it didn’t negotiate ransom payments in WastedLocker cases due to the risk of running foul of the sanctions.
The sources said after being initially rebuked, Garmin then sought the services of Arete IR, a firm which claims that the links between the WastedLocker ransomware and sanctioned individuals have not been proven.
According to Garmin its systems were hit by the virus on Thursday 23 July. On Friday 24 July, Arete tweeted a study on its website which disputed research attributing WastedLocker to Evil Corp, citing inconclusive evidence.
The criminals began developing the ransomware after the sanctions were issued, and so it is not mentioned specifically in the US Treasury’s sanction notice.
The US government has not yet made a public attribution linking WastedLocker to the sanctioned individuals.
The sanctions mean that “US persons are generally prohibited from engaging in transactions” with the 17 individuals and seven business entities tied to Evil Corp, even in cases of extortion.
Arete claimed the ransomware is not connected to Evil Corp
Sources with knowledge of the incident told Sky News that Garmin – an American multinational which is publicly listed on the NASDAQ – did not directly make a payment to the hackers.
Separate sources confirmed to Sky News that Arete IR made the payment as part of its ransomware negotiation services, although Arete argues that WastedLocker is not conclusively the work of Evil Corp.
Neither Garmin nor Arete IR disputed that the payment was made when offered the opportunity to do so.
A representative for Arete told Sky News they could not comment regarding Garmin, stating: “Arete has contractual confidentiality obligations to all clients and therefore cannot discuss any client identity or interactions.”
Regarding the allegation that the operators of WastedLocker are covered by US sanctions, they added: “Arete follows all recommended and required screenings to insure compliance with US trade sanctions laws.”
Garmin told Sky News it had no additional comment to make.