A week-long Kia outage is reportedly linked to a ransomware attack by the DoppelPaymer gang, BleepingComputer says.
Image: kaptnali, Getty Images / iStockphoto
Kia Motors America may have been hit by a ransomware attack that shut down some of its key customer-facing services. In a story published Tuesday, the website BleepingComputer reported that Kia Motors USA was suffering from a nationwide outage affecting IT servers, self-pay phone services, dealer platforms, phone support and mobile apps. The outage apparently started on Saturday when the Kia Owners Portal went offline and revealed a bug stating that Kia "had an IT service outage that was affecting some internal networks."
In a statement shared with TechRepublic, Kia Motors confirmed that there has been an outage since Saturday and that the UVO app and the owner portal are now operational again. Kia added that it expects the remaining primary customer-affected systems to come back online within the next 24 to 48 hours.
SEE: Ransomware: What IT Pros Need To Know (Free PDF) (TechRepublic)
However, BleepingComputer also spotted a tweet posted by a Kia customer Monday claiming she went to a Kia dealership in Arizona to sign a new lease. In response, the manager reportedly told her that her computers had been down for three days due to ransomware affecting Kia across the United States.
On Wednesday, a follow-up story from BleepingComputer reported that Kia had been the victim of a ransomware attack by the DoppelPaymer gang. A ransom note reportedly received by BleepingComputer states that Kia's parent company Hyundai Motor America's network has been attacked and that files, backups and shadow copies will not be available until paid for a decryption tool.
A private casualty page on DoppelPaymer Tor's payment page tied to the ransom note further states that a large amount of data has been stolen or exfiltrated from Kia Motors America and that it will be released in two to three weeks if the company does does not negotiate. In return for the decryption of the stolen data, the gang demands 404 Bitcoins (around 20 million US dollars). If the ransom is not paid within nine days, the price increases to 600 bitcoins ($ 32 million).
However, the official response from Kia Motors America so far denies any report of a ransomware attack. In its statement, Kia Motors responded to such speculation: "Currently, based on the best and most current information, we can confirm that we have no evidence that Kia or Kia data has been exposed to a ransomware attack."
SEE: This is a simple way of checking whether an email is legitimate or a scam and protecting yourself and your company (TechRepublic)
In a similar statement from Hyundai Motor America, it was confirmed that the outage began on Saturday morning and is still affecting a limited number of customer-facing systems that are about to come back online. However, the company said it "saw no evidence that Hyundai Motor America or its data was exposed to a ransomware attack."
But Kia and Hyundai's lack of detail about the failure raises a red flag for some people.
"There are still no details from Kia about the cause of the outage that explain that it is a general network problem and not ransomware," Kevin Dunne, president of application security vendor Greenlight, told TechRepublic. "However, DoppelPaymer is still actively declaring that Kia's data is being used as a ransom. Kia's lack of communication about another cause of the outage is worrying and does not create great credibility for users that their data is truly secure."
The underlying cause of the failure is still officially unknown. However, if the source were a third party, a company like Kia would disclose that fact and put pressure on the supplier to fix the problem, Dunne said. Furthermore, the lack of a clear root cause in those many days after the failure raises more questions than answers and suggests an attack from bad actors, Dunne added.
Whatever the cause of this, DoppelPaymer's ransomware tactics are all too familiar. Instead of just keeping the decrypted data as a ransom, the attackers also threaten to release it publicly if no payment is made.
SEE: According to Kaspersky, attacks on account takeover increased in 2020 (TechRepublic)
"This attack is usually focused on companies with critical customer information that would be harmful if published," said Dunne. "Even if the victim can fall back on an uninfected version of their systems and be operational, they have to pay the ransom to protect their customers' data."
With these types of double-edged attacks, even the right backup and recovery strategy can only fix half the problem if the attackers can continue to release the stolen data.
"Cyber criminals are getting more sophisticated and more courageous," Saryu Nayyar, CEO of cybersecurity company Gurucul, told TechRepublic. "They are targeting large companies, stealing files before they are encrypted, and demanding millions of dollars in ransom to prevent the captive data from being destroyed or released."
As a result, companies need to do more to protect their environment, Nayyar said. This means the usual technical defense mechanisms such as security analyzes, but also improved user education, since so many attacks are carried out through phishing or social engineering.
"At some point, the international law enforcement community will have to step up against these cyber criminals," added Nayyar. "Until that happens, these criminal companies will continue to operate with almost impunity."
Cybersecurity Insider Newsletter
Strengthen your company's IT security defenses by keeping up to date with the latest cybersecurity news, solutions, and best practices.
Delivery on Tuesdays and Thursdays