Kia outage may be the result of ransomware

A week-long outage for Kia is reportedly connected to a ransomware attack from the DoppelPaymer gang, says BleepingComputer.

Ransomware

Image: kaptnali, Getty Images/iStockphoto

More about cybersecurity

Kia Motors America may have been hit by a ransomware attack that has taken down some of its key customer-facing services. In a story published Tuesday, website BleepingComputer reported that Kia Motors USA was suffering a nationwide outage that was impacting IT servers, self-payment phone services, dealer platforms, phone support, and mobile apps. The outage seemingly began on Saturday as the Kia Owners Portal went offline, showing an error that Kia was “experiencing an IT service outage that has impacted some internal networks.”

In a statement shared with TechRepublic, Kia Motors acknowledged that an outage has been in effect since Saturday and that its UVO app and owner’s portal are now operational again. Kia added that it expects its remaining primary customer-facing affected systems will to continue to come back online within the next 24 to 48 hours.

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)

But BleepingComputer also discovered a tweet posted Monday by a Kia customer claiming that she had gone to a Kia dealership in Arizona to sign a new lease. In response, the manager allegedly told her that their computers had been down for three days due to ransomware, which has affected Kia all over the United States.

On Wednesday, a follow-up story from BleepingComputer reported that Kia had been the victim of a ransomware attack by the DoppelPaymer gang. A ransom note reportedly obtained by BleepingComputer claims that the network of Kia parent company Hyundai Motor America has been attacked and that any files, backups, and shadow copies will be unavailable until they pay for a decryption tool.

Further, a private victim page on the DoppelPaymer Tor payment site linked to from the ransom note states that a huge amount of data was stolen, or exfiltrated, from Kia Motors America and that it will be released publicly in two to three weeks if the company fails to negotiate. In return for the decryption of the stolen data, the gang is demanding 404 bitcoins (around $20 million). If the ransom is not paid within nine days, the price will rise to 600 bitcoins ($32 million).

However, the official response from Kia Motors America so far disputes any report of a ransomware attack. In its statement, Kia Motors responded to such speculation: “At this time, and based on the best and most current information, we can confirm that we have no evidence that Kia or any Kia data is subject to a ransomware attack.”

SEE: How to easily check if an email is legit or a scam, and protect yourself and your company (TechRepublic)

A similar statement from Hyundai Motor America acknowledged that the outage started Saturday morning and is still affecting a limited number of customer-facing systems, which are in the process of coming back online. However, the company said it has seen “no evidence of Hyundai Motor America or its data being subject to a ransomware attack.”

But the dearth of details from Kia and Hyundai on the outage is raising a red flag with some people.

“There are still no details shared from Kia on the source of the outage, declaring that it was a general network issue and not ransomware related,” Kevin Dunne, president at application security provider Greenlight, told TechRepublic. “However, DoppelPaymer is still actively declaring that they have Kia’s data under ransom. The lack of communication from Kia on another cause of the outage is concerning and does not build great credibility to users that their data is truly safe.”

The underlying cause of the outage is still officially unknown. But if the source was a third-party supplier, then a company like Kia would disclose that fact and keep pressure on the supplier to fix the problem, Dunne said. Further, the lack of a clear root cause these many days into the outage triggers more questions than answers and does point to an attack from bad actors, Dunne added.

Whatever the cause in this case, DoppelPaymer’s ransomware tactic is one that’s becoming all too familiar. Rather than just holding the decrypted data for ransom, the attackers also threaten to release it publicly should there be no payment.

SEE: Account takeover attacks spiked in 2020, Kaspersky says (TechRepublic)

“This attack is typically focused on companies with critical customer information that would be damaging if released,” Dunne said. “Even if the victim can roll back to an uninfected version of their systems and become operational, they still need to pay the ransom to protect their customers’ data.”

With these types of double-edged attacks, even the right backup and recovery strategy will only fix half the problem if the attackers are still able to release the stolen data.

“Cybercriminals are becoming more sophisticated and, as they do, they are becoming bolder,” Saryu Nayyar, CEO of cybersecurity company Gurucul, told TechRepublic. “They are targeting large enterprises, stealing files before encrypting them, and demanding multi-million-dollar ransoms to prevent the destruction or release of the captive data.”

As a result, organizations need to do more to protect their environments, Nayyar said. This means the usual technical defenses such as security analytics but also improved user education as so many attacks come through phishing or social engineering.

“Eventually, the international law enforcement community will have to step up and deal with these cybercriminal gangs,” Nayyar added. “Until that happens, these criminal businesses will just continue to operate with near impunity.”

Also see