Anatomy of a Breach

Anatomy of a Breach: Garmin — WastedLocker Ransomware Takes Down Aviation, Fitness, and Marine Services

> series: anatomy_of_a_breach —— part: 140 —— target: garmin —— ransomware: wastedlocker —— services_down: aviation_fitness_marine —— reported_ransom: $10,000,000<span class="cursor-blink">_</span>_

Hedgehog Security 31 August 2020 13 min read
ransomware garmin wastedlocker evil-corp aviation gps sanctions series
Breach #140

Aviation databases. Fitness tracking. Marine charts. Factory production. All down. For five days.

On 23 July 2020, Garmin suffered a WastedLocker ransomware attack that encrypted systems across its entire operation. Garmin Connect — used by millions of athletes and fitness enthusiasts worldwide — went offline. flyGarmin and Garmin Pilot — aviation services used by pilots for navigation database updates and flight planning — went down, raising safety concerns (pilots require current navigation databases). Garmin's marine and automotive navigation services were disrupted. Factory production lines halted. Even the company's call centres and internal email systems were affected. The outage lasted approximately five days.

Garmin reportedly paid approximately $10 million in ransom to obtain the decryption key — a payment complicated by the fact that WastedLocker was attributed to Evil Corp, a Russian cybercrime group whose leaders were under US Treasury OFAC sanctions. Paying ransom to sanctioned entities carries potential legal exposure under US law. Garmin reportedly used a third-party intermediary to negotiate and facilitate the payment — highlighting the ethical and legal complexities of ransomware payments.

Aviation Safety Implications
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

When ransomware grounds pilots, the consequences extend beyond business.

Aviation Systems Offline
flyGarmin provides navigation database updates that pilots need for safe instrument flight. When flyGarmin went offline, pilots could not update their navigation databases — raising safety concerns. For organisations whose services affect safety of life, ransomware resilience is not a business decision — it is a safety obligation. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> validates resilience of safety-critical systems.
$10M Ransom and Sanctions Risk
The reported $10 million payment — to a group under US sanctions — created dual jeopardy: pay the ransom and risk sanctions violations, or refuse to pay and face prolonged outage affecting millions of users and aviation safety. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence's incident response</a> includes legal and regulatory guidance on ransom payment decisions.
Millions of Users Affected
Garmin Connect serves millions of fitness users who lost access to training data, health monitoring, and activity tracking for five days. While inconvenient rather than dangerous for fitness users, the outage demonstrated the dependency that millions of consumers have on connected service platforms. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the monitoring that detects ransomware before encryption completes.
Manufacturing Production Halted
Like <a href="/blog/anatomy-of-a-breach-norsk-hydro">Norsk Hydro</a> (2019), the Garmin attack disrupted physical manufacturing — demonstrating that IT ransomware can have OT consequences. <a href="/penetration-testing/infrastructure">Our infrastructure testing</a> includes IT/OT boundary security assessment and production system resilience.
Lessons

Ransomware against safety-critical services creates obligations beyond business continuity.

The Garmin attack demonstrated that when ransomware affects safety-critical services — aviation navigation, marine charts, emergency communications — the stakes extend beyond business continuity to human safety. For UK organisations operating in aviation, maritime, healthcare, or any sector where service availability has safety implications, ransomware resilience must be engineered to safety-critical standards.

Cyber Essentials establishes baseline controls. Infrastructure testing validates ransomware resilience including backup integrity and recovery procedures. SOC in a Box monitors for ransomware indicators 24/7. And UK Cyber Defence provides the incident response, crisis management, and legal guidance that organisations need when ransomware threatens safety-critical services.

Safety-Critical Resilience

Garmin's ransomware took aviation databases offline. Could your safety-critical services survive the same?

<a href="/penetration-testing/infrastructure">Infrastructure testing</a> validates resilience. <a href="/cyber-essentials">Cyber Essentials</a> establishes the baseline. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects ransomware. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> manages the crisis.

Commission a Resilience Assessment Next: Düsseldorf Hospital
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 August 2025

Anatomy of a Breach: Collins Aerospace — Ransomware Grounds Passenger Processing at Heathrow, Brussels, and Berlin Airports

Breach #200. In August 2025, a ransomware attack on Collins Aerospace's MUSE passenger processing system disrupted operations at several major European airports including Heathrow, Brussels, and Berlin. The MUSE system handles check-in, boarding, and flight management functions. The attack, claimed by the Everest cybercrime group, forced airports to resort to manual check-in processes — creating long queues and flight delays. The incident demonstrated that aviation's dependency on shared technology platforms creates concentration risk where a single vendor compromise can disrupt airports across multiple countries simultaneously.

collins-aerospace muse
13 min read
Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 30 September 2025

Anatomy of a Breach: Jaguar Land Rover — Manufacturing Halted, Staff Sent Home, and Revenue Hit by Ransomware

Breach #201. In September 2025, UK car manufacturer Jaguar Land Rover (JLR) was hit by a cyber attack that severely disrupted production at its Halewood plant in Merseyside, forcing staff to stay home while the company responded. The incident, reportedly claimed by a group calling itself Scattered Lapsus$ Hunters, prevented car dealers from registering new JLR vehicles — during one of the busiest periods for new car registrations in the UK. JLR subsequently revealed that the attack had a significant financial impact on its revenue. The M&S and JLR attacks together constituted the most damaging year for UK corporate cybersecurity on record.

jaguar-land-rover jlr
13 min read
All Posts Get in Touch