Hospital-busting hacker crew may be behind ransomware attack that made Honda halt car factories, say researchers

Going nowhere: Honda has confirmed a ransomware infection hit its internal network

Japanese car maker Honda has been hit by ransomware that disrupted its production of vehicles and also affected internal communications, according to reports.

The ransomware, of an as-yet unidentified strain, appeared to have spread through the multinational firm’s network. A Honda spokesman told the media it appeared to have “hit the company’s internal servers.”

Some Honda factories around the world were forced to suspend production, though output from Turkey, India, USA and Brazil locations remain on hold at the time of writing.

At this time Honda Customer Service and Honda Financial Services are experiencing technical difficulties and are unavailable. We are working to resolve the issue as quickly as possible. We apologize for the inconvenience and thank you for your patience and understanding.

— Honda Automobile Customer Service (@HondaCustSvc) June 8, 2020

Sky News reported yesterday that Honda’s networks began to suffer “issues” on Monday, and that “the company believed it was the result of unauthorised attempts to breach its systems.”

A Honda spokesbeing told several outlets: “We can confirm some impact in Europe and are currently investigating the exact nature.”

Another statement from the firm today added: “Work is being undertaken to minimise the impact and to restore full functionality of production, sales and development activities.”

In the meantime, multiple researchers have suggested the culprit was Ekans, with one Milkr3am, posting screenshots on Twitter of a sample submitted to VirusTotal today that checks for the internal Honda network name of “mds.honda.com”.

Professor Alan Woodward of the University of Surrey told El Reg: “With a just-in-time system you need only a small outage in IT to cause a problem. As it happens I think Honda have recovered quite quickly. A few countries’ facilities are still affected but they seem to be coming back very fast, which suggests they had a good response plan in place.”

The speed at which the malware spread in Honda’s network indicates that some the company has centralised functions, “the usual culprits are finance,” he added.

“Virus Total seem[s] to suggest it might even be a modified version of Ekans, which would suggest a very targeted attack. Not your usual scatter gun approach… If that’s the case, this malware does actually have some elements which are tailored to attack ICS so it may be that some of their production facilities were affected directly.”

“Ekans is a derivative of Snake – it’s the name of the ransomware. It is unusual in that it is one of the few pieces of ransomware that has ability to target industrial control systems. It was used with devastating consequences against a German firm not long ago,” he explained.

The malware is already in the wild and so could have been launched by anyone, said Professor Woodward. But he said it appears “targeted as Virus Total [is] suggesting that it may have been specially modified to access Honda servers and penetrate network that way.”

He added: “I’m impressed at how fast Honda are recovering. They obviously learned from when they were whacked with Wannacry.”

If correct, this would suggest the same hacker crew targeted Honda as the one that hit a German hospital group called Fresenius some weeks ago. The operator of Ekans appears to be fairly new on the ransomware scene. ®

Sponsored: Webcast: Simplify data protection on AWS