Will Garmin pay $10 Million ransom in order to bring to an end ransomware attack after three days?

·  The navigation company was hit by a ransomware attack on Thursday with customers unable to log in to their apps and record their fitness sessions for five straight days - pilots who use their apps have also been affected

Tens of millions of people around the world have found their Garmin devices, including those used by runners, cyclists and pilots, down for a fifth day after being hacked by Russian group Evil Corps which is demanding a $10m ransom to restore their operation. 

Garmin has been ordered to pay the ransom by the cybercriminal group headed by a 33-year-old Russian playboy hacker, Maksim Yakubets, who drives a customized $250,000 Lamborghini. 

In December 2019, the FBI placed a $5 million bounty on Yakubets head for information leading to his capture. It is the largest reward being offered for an alleged criminal connected to cybercrime.

Yakubets' latest target is Garmin, which has still offered no explanation for their outage, but security analysts said the reason is likely ransomware, a technique used by hackers to encrypt data and extort funds.     

The company said on Twitter that its website and Garmin Connect fitness app had been offline since Thursday. It said the 'flyGarmin' site used for aviation databases was also down.

Maksim Yakubets speaks with a police officer. Yakubets drives a customized Lamborghini Huracan supercar with a personalized number plate that translates to the word 'Thief'   

The malware has been linked to a Russian cybercriminal group known as Evil Corp.  

In December 2019, the U.S. Treasury Department sanctioned Evil Corp after causing more than $100 million in financial damages in the American banking system. 

As a result, if Garmin wanted to pay the ransom, it could potentially be found to be breaking United States sanctions. 

 Evil Corp is a Russia-based cybercriminal organization, headed by Maksim Yakubets, which is believed to be responsible for the ransomware attack against Garmin.

Yakubets is alleged to have run the operation since May 2009 from the basements of Moscow cafes.

He is said to have employed dozens of people to steal money from victims in 43 countries using computer viruses that are designed to target only victims outside Russia.

The ‘malware’ is downloaded when a victim clicks on an email attachment and remains hidden on their computer to harvest their personal and financial data such as online banking details – which is subsequently used to drain their accounts.

Operating online under the name Aqua, the hacker and his associates are accused of stealing at least $100million.

US treasury officials also say Yakubets has provided ‘direct assistance to the Russian government’ by acquiring confidential documents for the FSB security agency. He was also said to be part of a scheme in which Russian intelligence agencies recruit criminals to hack national security targets.

Yakubets, a Russian national originally from Ukraine, is still at large, as is his administrator Igor Turashev, 38.

In December, 15 people associated with the hacking group were sanctioned by the US treasury. Many are believed to be living in Moscow.

If Yakubets leaves Russia, he will be arrested and extradited to America to face charges. Financial sanctions have been imposed on him by the US, but privately, insiders say the chances of him setting foot outside Russia remain small.

Yakubets is known to be a flamboyant character and along with his flash cars, one of which is a customized Lamborghini with a number plate that reads THIEF in Russian, he is known to have splashed out on a pet tiger and lion cubs.

He is described as untouchable in the Russian capital, Moscow, where he regularly films himself driving 'doughnuts' around police, with tires screeching, in one of his fleet of supercars -  'cash rich with fast cars' bought from the proceeds of fraud.

For a decade the multi-millionaire is said to have run the world's most harmful cyber-crime group.

Yakubets, who has also worked for Russia's FSB intelligence agency, is said to live like a king, splurging more than $250,000 on his wedding. 

He married at a golf club north of Moscow in summer 2017 to glamorous businesswoman Alyona Benderskaya.

She is believed to be the owner of a chain of Moscow stores selling Italian luxury clothing called Plein Sport and graduated from the Higher School of Economics in Moscow in 2014. Benderskaya is believed to be Yakubets' second wife.

Her father, Yakubets' father-in-law, is a former officer with an elite special-forces unit of the FSB, Eduard Bendersky but it is also believed that some of his spy work for the organization rubbed off on his daughter.  

Benderskaya is known to be a founder of several companies called Vympel-Aktiv and Vympel-Protekt which are linked to the FSB's Special Purpose Center, known mainly for counterterrorism operations and 'foreign sabotage operations' according to RadioFreeEurope. 

In April 2018, Yakubets was in the process of obtaining a license to work with classified Russian information from the Russian spy agency, the FSB - the Federal Security Service of the Russian Federation.

The FSB was the main successor agency to the KGB. 

Yakubets was also responsible for recruiting and managing a network of individuals to Evil Corps who would then be responsible for facilitating the movement of money illicitly.

Yakubets was married at a golf club north of Moscow in summer 2017 to glamorous businesswoman Alyona Benderskaya who runs a chain of Italian luxury clothing stores

Maksim Yakubets' wedding in 2017 to Alyona Benderskaya whose father-in-law works for FSB

Over the past five days, Garmin, a company valued at $18 billion, has become Yakubets' latest target. On Sunday night, even the company's website was unable to load properly. 

The security news website Bleeping Computer described Garmin as being attacked by the WastedLocker ransomware.

The ransomware attack works by encrypting the company's data, rendering it inaccessible to employees. Evil Corp have demanded a $10 million ransom for the data to be freed up.     

Screenshots show lists of the company's files encrypted by the malware, with a ransom note individually attached to each file.

The note tells the recipient to contact one of two email addresses to 'get a price for your data'.

It is not clear whether any customer data has been compromised, as the tech firm continues to investigate and works to resolve the matter.  

Files shared from a Garmin employee show how a ransomeware file had been attached to each one giving the user details of what to do next in order to retrieve their data

A tweet shows the email address that Garmin workers were told to email in order to restore access to their data

A note from the hackers has been attached to every single data file within Garmin's systems along with details as to how the company will be able to restore access after paying a ransom

The company's communication systems have also been disabled and it now appears to be unable to respond to frustrated and disgruntled customers

The navigation company was hit by a ransomware attack on Thursday with customers unable to log their fitness sessions in Garmin apps ever since

An outage map shows just how big of a problem the company's apps are experiencing

In the past, Evil Corp targeted banks primarily located in the United States and the United Kingdom. 

They developed Dridex software, which was spread using phishing emails that would entice victims to click on malicious links or attachments embedded within the emails. 

Evil Corp would then use compromised credentials to fraudulently transfer funds from victims' bank accounts to those of bank accounts controlled by the group. 

Yakubets and his co-conspirators are alleged to have victimized 21 specific municipalities, banks, companies and nonprofit organizations in California, Illinois, Iowa, Kentucky, Maine, Massachusetts, New Mexico, North Carolina, Ohio, Texas and Washington.

Evil Corp is known to be one of the world's most prolific cybercriminal organizations and operates as a business run by a group of individuals based in Moscow, Russia. 

In June, it was revealed how Evil Corp had breached 31 major American corporations with a new ransomware attack targeting employees working from home.

The cybersecurity firm Symantec first announced the breach and attributed it to WastedLocker.

The FBI is offering a $5 million reward for info that leads to the capture of Maksim Yakubets who is known to work directly with the Russian government in carrying out malicious cyber attacks

Maksim Yakubets is pictured second from left along with other Evil Corp members who allegedly 'provide material assistance' including, from left, Kirill Slobodskoy, Dimitriy Slobodskoy, in red shirt and Artem Yakubets, far right   

Evil Corp members Kirill Slobodskoy, Dmitry Smirnov and Denis Gusev pictured in Dubai

Evil Corp declined to disclose the identities of the other targeted companies, but they include eight Fortune 500 companies and one major news publication. 

'These hackers have a decade of experience and they aren't wasting time with small, two-bit outfits,' Symantec's Eric Chien told the New York Times.

'They are going after the biggest American firms, and only American firms.' 

According to Chien, WastedLocker is part of a major expansion in hacking attempts focused specifically at major American business and government services in recent months.

'Security firms have been accused of crying wolf, but what we have seen in the past few weeks is remarkable,' Chien said.

'Right now this is all about making money, but the infrastructure they are deploying could be used to wipe out a lot of data — and not just at corporations.' 

According to Symantec, the ransomware is first downloaded on a worker's computer after clicking a malicious software update window.

Once installed on the person's computer, the ransomware begins unlocking permissions on the remote corporate network the person is connected to, with the goal of eventually locking the entire company out of its own systems to extract a ransom payment.

According to Symantec, the software update window that initiates the entire process could have come from from any one of 150 legitimate websites whose security Evil Corp has breached.

WastedLocker is part of a major expansion in hacking attempts focused specifically at major American business and government services in recent months. 

Russian native Yakubets owns a customized Lamborghini with a number plate that reads THIEF in Russian (pictured). He provided a 'malware' software which was downloaded by people who clicked on an email attachment which arrived in their inbox and stole their bank details

A Lamborghini Huracan and Audi R8 which were apparently used by Evil Corp members

One of Maksim's supercars which has been intricately designed and customized 

Worldwide, cybercrime results in losses that total in the billions of dollars, while in the United States, financial institutions and other businesses remain prime targets for cybercriminals but Evil Corp relies upon a number of core individuals to carry out critical logistical, technical, and financial functions.

Essentially the group is run like a legitimate business with someone in charge of managing the malware software with others supervising the operators seeking to target new victims, and laundering the proceeds derived from the group's activities.

Some of the other members cited for allegedly 'providing material assistance' in this way, according to the U.S. Treasury, are Dmitriy Smirnov, Artem Yakubets, Ivan Tuchkov, Andrey Plotnitskiy, Dmitriy Slobodskoy and Kirill Slobodskoy. 

Andrey Plotnitskiy, who authorities identified as another member of Evil Corp

Evil Corp have long been behind international computer hacking and bank fraud schemes, which allow members of the group to purchase supercars such as this Audi

The Garmin Connect software can be seen unsuccessfully attempting to contact the company's servers to upload fitness data. The experience has frustrated customers 

The ransomware attack has led to a shutdown of many of Garmin's systems. 

Employees working from home connecting by VPN were also cut off from Garmin's systems in an effort to halt the spread of the ransomware across its network. 

Garmin been largely silent on the outage. On Saturday the company tweeted 'We are currently experiencing an outage that affects Garmin Connect. This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience.'  

Brent Callow, a threat analyst at the security firm Emsisoft, said he had no firsthand knowledge but that it 'certainly has all the hallmarks of a ransomware incident.

'There is really no other event that would be likely to cause such widespread disruption and cause a company to immediately shut down everything from its online services to its production line,' Callow said.

Garmin's online fitness tracking service is offline leaving runners and cyclists unable to upload data from their latest workouts.

Garmin Connect, an app and website that works with the company's popular line of fitness watches, remained out of service on Sunday. The company apologized for the disruption at the end of last week when it indicated the problem was more widespread and also affected its communications systems.  

Some Garmin users were furious that the company had not explained the reason for its outage in five days while other mocked those who claimed it was disrupting their exercise routines

Garmin Aviation, which provides cockpit navigation and communication services, said on its Facebook page its 'flyGarmin' website and mobile app were down.   

Fitness enthusiasts took to social media to vent their frustrations about not being able to use the service.

Runners said that while the outage doesn't stop them from training, not being able to use Garmin Connect means they can't track their workout data or share their routes on Strava, a social network for runners and cyclists. 

Atlanta tech executive Caroline Dunn, who runs five days a week and finished the New York Marathon in 2018, said the outage means she and her running friends can't send each other kudos - Strava's version of Facebook's likes - to encourage each other. 

'We're not doing this for our health, we're doing this so that we can brag to our friends,' Dunn said lightheartedly. 'Now that we're all social distancing, I don't run in a group with my friends and they don't watch me run. I have to brag online to my friends about all of my runs.'

The outage is also preventing athletes from proving that they've completed virtual runs that are replacing the many races cancelled because of the pandemic, Dunn said. Runners who use the Garmin system can't be ranked because they can't submit GPS data to organizers.

A selection of Garmin's most popular products is shown above in a file photo

Smartwatch maker Garmin is suffering widespread outages after it was reportedly targeted in a ransomware attack. A notification about the update is seen on the company's website

Connecticut runner Megan Flood saw the prolonged outage as both a curse and a blessing.

'It's frustrating in part because my Garmin is connected to my Strava (fitness app), and I like the community aspect on Strava,' Flood, 27, said Friday. 'But sometimes not being so connected to my device is nice. I've run some of my best races when I forgot my watch or covered my watch face, so I find there are pros and cons to be so connected to a watch.' 

Tech-savvy users shared a workaround: plug the watch into a computer with a USB cable and manually transfer the files.

Some users also complained that Garmin's lack of communication was a bigger problem. 

Some Twitter users were quick to mock the situation Garmin and its wearers find themselves