As much as we can say that cyber security measures are advancing, we can say the same about cyber criminals and their strategies.

In 2022, ransomware attacks occurred every 11 seconds on average, at a global annual cost to businesses and governments of $20 billion US.

Costs are rising in part due to the growing ransoms demanded from victims. While estimates of the average ransomware payout in 2020 was $5,600 US, the Sophos State of Ransomware 2022 report found the average ransom paid by organizations had ballooned to $812,360. Fully 11% of organizations are now extorted for ransoms of $1 million or more by ransomware criminals.

Let’s look at one case study—the Garmin Security Breach of 2020—to understand how cyber security leaders can better defend against ransomware attacks. Ultimately, security awareness training can help reduce risk, change unsafe online user behaviors, and grow a security-minded organizational culture.

What Happened in the Garmin Security Breach

Garmin is best known for its fitness-tracking GPS wearables, but it also does some business in both the automotive and aviation space.

On July 23, 2020, cyber criminals targeted Garmin with a ransomware attack using the WastedLocker tool. Unlike other ransomware, WastedLocker does not steal information and holds it for ransom. Instead, it renders a victim’s programs useless until decrypted.

The hacking group Evil Corp created WastedLocker. The US government added Evil Corp to its sanctions list in 2019 for stealing over $100 million from banks and financial institutions.

In Garmin’s case, the malware encrypted their internal systems and shut down critical services like Garmin Connect, flyGarmin, Strava, and inReach. The company first detected the attack when employees began to share photos of encrypted workstations.

With the files encrypted, hackers demanded a $10 million ransom to restore access to the data. Though never officially confirmed, Garmin is widely believed to have paid the ransom (likely through an intermediary to avoid breaking US-sanction laws).

Within four days, Garmin began to restore its services and used a decryption key to lift the restrictions, further suggesting a ransom was paid.

6 Key Lessons Learned from the Garmin Security Breach

The Garmin malware attack showed that no one is safe from cyber criminals and that sizeable online service providers are a prime target for ransomware. Some of the key lessons are:

1. Ransomware attacks are highly targeted

Hackers target organizations like Garmin because they hold abundant valuable user data vital to their online services and can afford high ransom demands. By encrypting essential user data, the attackers pressured the wearables provider to pay the fine to avoid prolonged downtime.

2. Paying a ransom sets a dangerous precedent

With Garmin suspected to have paid the ransom, there is a considerable risk that other cyber criminals will target it for future attacks, positing this information. Choosing to pay a ransom sets a precedent that incentivizes other hackers to target a company and funds them for their next attack.

Recent data shows that 80% of companies who paid a ransom were hit with ransomware a second time—sometimes as little as one month later. Up to 40% of those businesses paid again, usually a higher ransom the second time.

3. Many ransomware attacks are impossible to decrypt

As cyber criminals develop more advanced ransomware, decrypting these attacks is increasingly challenging. With some ransomware strains, the only way to get your data back is by paying a ransom to the attacker to obtain a decryption key, even though you have no guarantee the attackers will return access to your files.

4. A single error can cause a ransomware outbreak

Users can easily trigger a ransomware attack – such as WastedLocker – by downloading a malicious software update from a website. A Garmin employee could have started the outbreak by clicking on a fake link and infecting the entire network.

5. Ransomware hurts most when it hits customer operations

Disrupting customer operations has the biggest bang for the buck for ransomware criminals. Being able to attack Garmin’s connected devices or any business’ operating assets, such as a webstore or customer interface, will yield the most pain in the least amount of time, making the victim more likely to pay up.

Organizations should invest in protecting assets that deliver essential services to customers.

6. Falling victim to ransomware can damage your reputation

Developing a reputation for data leaking is terrible, not only for acquiring new customers but also retaining existing ones. Potential Garmin customers now know that the company is susceptible to data breaches, which will make them less enthusiastic about submitting personal information. Future breaches or downtime may drive customers away from Garmin altogether.

How to Stay Safe from Ransomware and Other Online Threats: 7 Tips for Cyber Security Leaders

The best way to stay safe from falling victim to ransomware is to avoid contracting it in the first place. Here are some actions that can help you protect against a ransomware attack:

1. Focus on employee training

Your employees are your first line of defense against threats like ransomware and phishing attempts. Training solutions like phishing simulation tools are vital for educating employees to identify fake links or attachments that could compromise your systems.

2. Use security awareness training and phishing awareness training

Developing your employees’ knowledge with security awareness training and phishing awareness training will keep the latest ransomware, phishing, and social engineering threats top-of-mind, reducing the risk of an outbreak.

3. Develop internal cyber security heroes to raise awareness

Train internal cyber security heroes about the latest threats and security measures, so they can guide other employees on how to protect your organization. A complete training and mentorship program will prepare these ambassadors to train other employees and help build a security-conscious culture.

4. Keep software and devices up to date

Many ransomware types, such as the famous WannaCry strain, use unpatched system vulnerabilities to encrypt the victim’s files. Keeping workplace software and devices updated eliminates vulnerabilities so that fraudsters have no entry point to break into your systems.

5. Produce regular cyber security campaign updates

Releasing regular updates about the latest cyber threats and security best practices provides employees with valuable information about protecting themselves against new threat vectors. For example, a timely email detailing how to spot a phishing scam or a fake website can help employees identify threats more consistently.

6. Limit administrative rights on computers

Whenever possible, reduce user privileges on endpoints and use policies that restrict access to critical systems.

7. Backup your data

Use a secure option to back up your data that cannot be compromised if a computer is infected with ransomware.


A “successful” ransomware attack, such as the one Garmin fell victim to, can be financially devastating to a company. The costs of a ransom, downtime, and reputational damage are more than enough to put you out of business.

With hackers honing their skills and producing ransomware that’s harder to decrypt, the only way to stay safe is by being proactive and training your employees regularly with security awareness training.

Security awareness training gives your employees the tools to respond to everything from a ransomware attack to a social network breach.



Cyber Security Hub: Access Exclusive Cyber Security Content

To learn more about phishing, social engineering, and how to defend yourself against these and other cyber threats, visit our free Cyber Security Hub—your one-stop cyber security awareness and knowledge center.