Garmin WastedLocker ransomware (Evil Corp)

On 23 July 2020, Garmin Ltd. — the U.S. consumer and aviation electronics manufacturer — was hit by WastedLocker ransomware deployed by Evil Corp, the Russian cybercrime operation whose principals had been OFAC-sanctioned seven months earlier. The attack took Garmin's consumer and aviation services offline for five days; Garmin paid the ransom despite the sanctions and triggered a clarifying OFAC advisory in response.

What happened

Evil Corp operators had been on Garmin's network for approximately a month before the encryption event. The initial access vector was likely SocGholish (FakeUpdates) — a social-engineering toolkit that injects fake browser-update prompts into compromised legitimate websites, dropping a Cobalt Strike beacon when victims accept the "update." SocGholish is a long-running Evil Corp initial-access toolkit.

From there the operators followed the standard ransomware playbook:

• Cobalt Strike for command-and-control and lateral movement.
• Mimikatz for credential harvesting.
• Privilege escalation to domain administrator.
• Reconnaissance of Garmin's environment, identifying valuable services and backup systems.
• WastedLocker deployment at scale on 23 July 2020.

The encryption took most of Garmin's customer-facing services offline simultaneously:

• Garmin Connect — the platform that syncs fitness data from Garmin watches.
• flyGarmin — the aviation database update service that pilots use for navigation, weather, terrain, and obstacle data.
• inReach — Garmin's satellite messaging and SOS service used by remote-area hikers, sailors, and aviators.
• Garmin customer call centres.

The flyGarmin disruption was the most serious flight-safety implication. Pilots flying Garmin avionics (G1000, G3000, and similar widely-deployed systems) rely on flyGarmin to deliver current navigation, weather, and terrain databases — without which the avionics still operate but with out-of-date data. Multiple flight-safety alerts circulated through aviation channels during the outage.

The ransom payment

Garmin's public communications described the incident as a "systems outage" and avoided the term "cyberattack" for days. Public reporting in early August established that Garmin had acquired a WastedLocker decryption key on or around 27 July, and that the path to the key had involved a U.S. cybersecurity firm acting as an intermediary in the negotiation and payment.

Multiple press reports — citing sources familiar with the negotiation — placed the ransom payment at approximately $10 million in bitcoin. The decryption was successful; most services were restored within 48 hours of obtaining the key.

The payment was legally problematic. In December 2019, the U.S. Treasury had designated Maksim Yakubets and other Evil Corp principals on the OFAC Specially Designated Nationals (SDN) list, making any U.S. person's transactions with Evil Corp — including ransom payments — a sanctions violation. Garmin and the intermediary firm were exposed to potential OFAC enforcement.

OFAC did not bring an action against Garmin specifically. But on 1 October 2020, two months after the Garmin payment, OFAC issued a high-profile advisory clarifying that ransom payments to sanctioned entities are violations regardless of intermediary — widely interpreted as a direct, named-but-not-named response to the Garmin case. The advisory has been the primary U.S. policy lever shaping U.S. corporate ransomware-payment decisions since.

Impact

• Five-day outage of consumer and aviation services.
• Aviation flight-safety implications during the outage that, fortunately, did not result in publicly-reported incidents.
• ~$10 million ransom paid (reported, not confirmed by Garmin).
• ~$15 million additional business impact from the outage and remediation.
• OFAC sanctions exposure that ultimately did not result in enforcement against Garmin but reshaped the legal landscape for subsequent victims.

Why it matters

Garmin / WastedLocker is the canonical case for the OFAC-sanctions / ransom-payment conflict. It established:

• That OFAC designation of a ransomware operation creates a direct legal exposure for paying victims — and that the use of intermediaries does not insulate the victim from sanctions risk.
• That Evil Corp's rebranding cadence (BitPaymer → DoppelPaymer → WastedLocker → Hades → Phoenix → PayloadBIN → Macaw) was specifically motivated by the OFAC designation; affiliates needed plausible deniability that any given strain was Evil Corp.
• That critical-safety systems with cloud dependencies (flyGarmin, inReach) carry distinctive risk profiles. The aviation database update outage during the encryption window highlighted a category of cyber-incident impact that is poorly captured in standard breach-cost models.
• That public communications during ransomware incidents are a major reputational lever. Garmin's "systems outage" framing was widely criticised as evasive and is now cited as a negative example in incident communications playbooks.