GPS and wearables company Garmin Ltd. is reported to be the latest company to pay a ransom following a ransomware attack in a trend that some security experts say only encourages more attacks.

News that Garmin was suffering from a ransomware attack first emerged on July 23. While best known to consumers for its GPS units, the company also provides corporate services including navigational data for airlines with the outage causing serious issues with U.S. Federal Aviation Administration compliance.

The company initially claimed it was only suffering from “outages,” but four days later Garmin admitted that it had suffered a ransomware attack, describing it as a “cyberattack that encrypted some of our systems.”

According to Sky News, Garmin paid a multimillion-dollar ransom to gain a decryption key from those behind the ransomware attack. It’s believed that the attack involved WastedLocker ransomware, which is linked to hacking group Evil Corp, and that the ransom demanded was $10 million. As with the recent case of CWT Global B.V., that doesn’t necessarily mean that Garmin paid $10 million, just that it was a starting figure that could have been negotiated down.

The Sky News report, quoting people familiar with the matter, added that Garmin used Arete IR to negotiate the ransom payment. According to its website, Arete Incident Response is a New York City-based firm that promises to “get you back to business quickly.”

Even putting aside the issue that paying a ransom when attacked by ransomware is morally dubious and could encourage criminal groups to target more companies, this case is more complicated. Evil Corp was sanctioned by the U.S. Treasury Department in December, decreeing that “U.S. persons are generally prohibited from engaging in transactions” with Evil Corp or any of its individual members. If Evil Corp is behind the attack and payment was made, Garmin could potentially be in serious legal trouble.

Although many security experts argue that paying ransomware attackers is not a good practice, Ilia Kolochenko, founder and chief executive officer of web security company ImmuniWeb, told SiliconANGLE that doing so is not always a bad thing.

“When data recovery costs an eight-digit amount and requires weeks of downtime, paying a seven-digit ransom is an economically sound decision,” Kolochenko said. Even so, he added, “as many recent cases demonstrate, cyber gangs rarely honor their promises to delete stolen data even after receiving the full payment. Similarly, payment of the ransom will not absolve any third parties of their legal duties if they are affected by the data breach, including a duty to report the incident to competent authorities and notify victims whose PII was compromised.”

The bottom line, he said, is that paying a ransom may help mitigate further damage caused by systems downtime and inability to serve customers. “Given that ransomware attacks are becoming incrementally more sophisticated and thus harder to prevent, we should expect a further surge of successful intrusions followed by a payment of ransom being dictated by economic efficiency,” he said.

Photo: U.S. Air Force