Heimdal Case Files: The Honda Ransomware Attack
How Did the Ransomware Attack on Honda Happen? Who Was Behind the Honda Ransomware Attack?
Ransomware attacks are not about to be history anytime soon. At least that is what recent studies show. The list of high-profile ransomware cyberattacks gets longer and more alarming every day, affecting all kinds of organizations: gas pipelines, foodservice distributors, and nuclear weapons contractors. Today we are going to take a closer look at the Honda ransomware attack.
Honda Motor Company, Ltd, the world’s largest motorcycle manufacturer since 1959, recently confirmed in a tweet that it had experienced a cyberattack that compromised several of its facilities leading to some of the company’s international operations to halt.
At this time Honda Customer Service and Honda Financial Services are experiencing technical difficulties and are unavailable. We are working to resolve the issue as quickly as possible. We apologize for the inconvenience and thank you for your patience and understanding.
— Honda Automobile Customer Service (@HondaCustSvc) June 8, 2020
Honda is a Japanese public multinational conglomerate manufacturer of automobiles, motorcycles, and power equipment, headquartered in Minato, Tokyo, Japan.
The organization is the world’s largest manufacturer of internal combustion engines measured by volume, producing more than 14 million internal combustion engines each year. Also, Honda became the second-largest Japanese automobile manufacturer in 2001.
A Closer Look at the Honda Ransomware Attack
Some reports state that the Honda ransomware cyberattack was first discovered in the late hours of Sunday, June 7.
According to the company, the attack has affected its ability to access computer servers, use email, and otherwise utilize internal systems.
The Japanese car giant stated that there is also an impact on production systems outside Japan, declaring further that “work is being undertaken to minimize the impact and to restore full functionality of production, sales and development activities.”
The company also declared no data has been breached though, just held for ransom.
While cybersecurity specialists think a ransomware cyberattack is most likely to blame, it is not clear if the assault was aimed at information technology systems or industrial control systems themselves.
The organization said that some machines in Ohio, Italy, and Turkey were still offline, but that it had restarted production in most plants.
Honda has experienced a cyberattack that has affected production operations at some U.S. plants. However, there is no current evidence of loss of personally identifiable information. We have resumed production in most plants and are currently working toward the return to production of our auto and engine plants in Ohio.
Who Was Behind the Honda Ransomware Attack?
According to cybersecurity researchers, the cyberattack on Honda was probably a ransomware attack, that belongs specifically to the Snake ransomware family, also known as Ekans.
Spotted by the MalwareHunter Team, this relatively new type of ransomware is allegedly unique because targets the entire network and the devices on the network, rather than individual computers.
Vitali Kremez, a security specialist at MalwareHunter’s team, stated that Snake ransomware first targets a system, removes Volume Shadow Copies Service (VSS), and then kills all processes associated to SCADA Systems, Virtual Machines, Industrial Control Systems, Remote Management Tools, Network Management Software.
Afterward, the ransomware begins encrypting files and then sends a ransom message with the title “Fix-Your-Files.Txt” where a ransom request and an email address are mentioned specifically.
As usual, following the ransom payment, the victims receive a decryption key in return to decrypt their files.
The cybersecurity firm Virus Total declared that it had certain proof which indicates that Honda’s internal server has been encrypted with Snake ransomware and the attackers have requested a ransom in exchange for the encryption key.
It is currently unclear as to how many systems were precisely being impacted, but Snake ransomware developers are notorious for copying important data before encrypting it for leveraging negotiations with the victim.
While the Japanese company doesn’t provide further details about these events, a security researcher named Milkream has discovered a sample of the Snake ransomware submitted to VirusTotal that checks for the internal Honda network name of “mds.honda.com.”
When BleepingComputer attempted to examine the sample, the ransomware would start and instantly exit without encrypting any files.
According to the security specialist, this happens because the malware tries to resolve the “mds.honda.com” domain, and its failure will terminate the ransomware without encrypting any files.
When contacted, the SNAKE developers told BleepingComputer:
At this time we will not share details about the Honda ransomware attack attack in order to allow the target some deniability. This will change as time passes.
Oz Alashe, chief executive at cyber risk company CybSafe said that Honda will probably have some trouble making a fast recovery from the ransomware attack as its global operations have already been disrupted, and rolling back up to full operations will take some time.
The attack is also likely to have a financial impact on the Japanese car giant, which is one of the world’s largest auto producers, employing over 200,000 workers on its payrolls in operations that extend all over the world.
The COVID-19 pandemic has created a considerable remote workforce which has increased the organization’s attack surfaces and enhanced existing flaws. Businesses of all sizes should prioritize and adapt their cybersecurity strategies to reflect how their employees now work.
To help you fight against ransomware attacks in a more efficient way we have created the Ransomware Encryption Protection module that was engineered to be universally compatible with any antivirus.
Heimdal™ Ransomware Encryption Protection
- Blocks any unauthorized encryption attempts;
- Detects ransomware regardless of signature;
- Universal compatibility with any cybersecurity solution;
- Full audit trail with stunning graphics;
Ransomware Encryption Protection by Heimdal™ is a revolutionary 100% signature-free component, ensuring market-leading detection and remediation of any type of ransomware, whether fileless or file-based.
Ransomware Encryption Protection’s advanced reporting features will derive invaluable digital forensics data such as process attack pathing, represented via bidimensional tree diagrams with stunning graphs, attacker’s origins, file connections, attempted kernel-level I\O, read\write operations, directory executions and file enumerations, CVE classification, impact severity, and much more.