The automaker refutes rumors of a cyberattack. Image from Shutterstock
A $27 million ransom has been demanded from Kia Motors America following a ransomware assault “Huge amount of data is reportedly being exposed.
According to a claim by tech website BleepingComputer, which has access to the ransom note, persistent IT failures at Kia Motors America are the consequence of a ransomware attack by the DoppelPaymer gang.
Based in Irvine, California, Kia Motors America is a division of the Kia Motors Corporation and is owned by Hyundai in a minority capacity. It produces cars in Georgia and has approximately 800 dealers across the country.
The company’s mobile “Uvo” apps, phone services, payment systems, owner’s portal, and internal websites used by the dealers have all been hit by IT outages for a number of days.
Another Twitter user claimed that when they went to a Kia car dealership to pick up their new car, they were informed that they couldn’t because the company’s servers were down because of a ransomware assault.
A notification indicating the outage was displayed to website visitors when they arrived at Kia Motors America.
“The statement stated that KMA is aware of IT disruptions affecting internal, dealer, and customer-facing services, including Uvo.
“We apologize for any inconvenience caused to our clients and are working as soon as we can to find a solution and resume regular company operations.
The article claims that the DoppelPaymer gang ransacked Kia Motors America and left a message demanding payment of $US20 million in bitcoin ($26.7 million).
“Your network has been compromised, and until you pay for a decryption tool, your files, backups, and shadow copies won’t be accessible.
“The first portion of the data will be shared with the public if no contact is made within three business days after the infection, and the rest will remain inaccessible to you.
The business was instructed to download and set up the Tor Browser, copy in an address, and process the bitcoin payment.
According to the ransom note, a “Huge amounts of data were taken, and if the hackers are not paid in two or three weeks, they would reveal the data.
If the payment isn’t made right away, the hackers’ demand of 404 bitcoins, presently worth around $US20 million, would rise to 600 bitcoins, currently worth $US30 million.
“According to the firm, there has been online rumors that Kia is the target of a “ransomware” attack.
“We can now state with certainty that there is no proof that Kia or any Kia data has been the target of a “ransomware” assault.
Another high-profile ransomware attack has just occurred, several of which targeted Australian businesses.
These include the logistics firm Toll, which experienced a protracted cyberattack at the beginning of last year and saw the hackers dump data on the dark web, including the personal information of both present and past employees.
Late last year, the popular camera brand Canon was also the target of a ransomware attack in which 10 terabytes of data were taken and a ransom was demanded.
Earlier this year, as part of an international effort against the software, which hackers frequently exploited to dump ransomware, European law enforcement was successful in taking down the notorious botnet Emotet.
Melbourne-based independent journalist Denham Sadler. He previously served as Editor of StartupSmart and writes on politics and technology. Both The Saturday Paper and The Guardian have featured his writing.
In This Article...
Was a ransom paid by Kia?
According to news sources, the DoppelPaymer gang allegedly ransomed Kia Motors America with a $20 million demand for a decryptor and a promise not to release the stolen data.
An IT outage at Kia Motors America that disrupted their servers, self-payment systems, dealer platforms, and phone assistance was reported by BleepingComputer the day prior. According to Kia staff, there was a nationwide outage that began on February 23 on Saturday.
BleepingComputer acquired a ransom note the next day that was “written by the DoppelPaymer ransomware gang during an alleged Kia Motors America cyberattack. The terrorists said they had attacked Kia’s parent business, Hyundai Motor America. However, it didn’t seem like the attack had any impact on Hyundai.
The note includes a link to a personal victim page on the DoppelPaymer Tor payment website, according to BleepingComputer. The target, according to the note, is Hyundai Motor America, and if the business does not negotiate with the threat actors, “a big amount of data was taken, or exfiltrated, from Kia Motors America and it will be disseminated in 2-3 weeks.”
The ransomware group is requesting 404 bitcoins, or $20 million, in order to stop the data from being leaked and get a decryptor. In the event that the balance was not paid, it was increased to 600 bitcoins ($30 million).
After being contacted by BleepingComputer, Kia Motors America released the following statement: “Kia Motors America, Inc. (“Kia”) is presently dealing with an extended systems outage. The Kia Owners Portal, UVO Mobile Apps, and the Consumer Affairs Web portal are among the services that are affected. We apologise for any difficulty caused to the customers in question, and we’re doing everything in our power to find a solution as soon as we can with the least disruption to our operations. Additionally, we are aware of web rumors that Kia is the target of “attack using ransomware. We can affirm right now that there is no proof that Kia or any Kia data is exposed to a “attack using ransomware.
Cowbell Cyber’s founder and CEO, Jack Kudale, says: “The ongoing Kia ransomware incident demonstrates how the compounded damages – ransom demand, business interruption, and threat of a data breach – are out of proportion to how a ransomware attack typically begins, with a worker clicking on a phishing email. Informing and preparing policyholders for what will happen following an incident is a crucial but frequently underappreciated function of insurance. Knowing the resources your insurer can provide is essential in the case of cyber.
According to Shawn Smith, Director of Infrastructure at nVisium, “Attacks by ransomware like this one show how crucial and affordable it is to have effective backup and recovery procedures. Because you can’t trust the attackers, even if you pay them $20 million to keep the data private, you must proceed as if it has already been compromised. This entails updating all passwords, rotating access keys, etc. If you already have backups of your data, then you don’t need to pay this sunk cost for an uncertain conclusion. The road to recovery is made considerably smoother by using proper backups and a specified recovery plan to employ those backups. Change any passwords and access keys the attackers may have, clean or replace any compromised systems, fix the vulnerability that was exploited, and then restore the data from your backups. When everything is finished, you may assess what was taken and determine the next measures the company should take to properly disclose the breach and notify users.
According to Chris Morgan, Senior Cyber Threat Intelligence Analyst at San Francisco-based Digital Shadows, a provider of digital risk prevention tools, “Attacks carried out by ransomware gangs have dramatically increased in quantity and level of sophistication over the past year. These organizations favor “large game hunting” techniques that focus on enterprise networks. This is the case with the incident at Kia Motors America, where numerous services at Kia were affected at once to maximize outages. This can then be used as leverage to demand ransom payments of tens of millions to hundreds of millions of dollars, often with an increase in price if demands are not met right away. Every day that services are unavailable on the commercial front results in operating costs, which can also harm a company’s reputation. DoppelPaymer, like the majority of ransomware organizations, runs a website designed to disseminate data acquired from victims if they refuse to comply with the group’s demands. By increasing the consequences of not paying, this increases the pressure on victims to pay the ransom.”
Morgan furthers, “While information about the issue at Kia is still lacking, operators of DoppelPaymer frequently utilize the Emotet virus to acquire initial access. Emotet is typically distributed using phishing emails, which are then used to download other tools that help the attacker move around the victim’s network. Before a final payload is used to encrypt files and services, valuable data is detected and exfiltrated. Organizations can take a number of precautions to reduce the risk of a DopplePaymer attack (or a ransomware attack in general); for example, they should avoid responding to suspicious or unverified emails and back up important files using the 3,2,1 method, which involves making at least 3 copies of their data: 2 on local but different mediums, and 1 copy offsite. Ensure that all software and applications have the most recent security updates.
According to Piyush Pandey, CEO of Appsian, “The attack on Kia Motors serves as a timely warning that data is the main objective of cybercriminals. Organizations devote far too many resources to securing their perimeter, when the safety of their data should be their first priority. A “The perimeter-first approach to security typically fails. Every information security leader should be knowledgeable about and actively implementing Defense-in-depth, Zero Trust, and Least Privilege strategies, especially for their business applications.
Can automobiles be remotely controlled and hacked?
Remote hacking into an unconnected car is not possible. However, if you don’t drive the most recent Tautology Motors vehicle, your car is probably vulnerable to some type of digital infiltration. In fact, if a car can connect, it can be partially or completely hacked today.
Has Hyundai suffered a hack?
According to the research, emails from Hyundai Glovis employees as well as internal data from Hyundai Autoever and basic design drawings were exposed on the dark web.
The file contains the IT system design, backup files for Outlook, a document with the name “rebate,” a document detailing a bank transaction, a business outlook report, and internal IT-related documents containing security. The time frame is between 2007 and 2021.
According to the information provided by Bleeping Computer, one of the affiliates, KIA America, was the victim of a ransomware assault in February.
In February, DoppelPaymer, one of the same black-hat hackers, demanded $20 million for a decryptor and promised not to release the stolen data.
A statewide IT disruption affecting Kia Motors America’s mobile UVO Link apps, phone services, payment systems, owner’s portal, and internal dealership sites has been felt.
Additionally, the interruption interferes with dealers’ use of Kia’s KDealer platform and KGSIS (Kia Global Service Information System).
Many Hyundai and dealership staff members contacted the BleepingComputer at that time to report that Hyundai was also experiencing mysterious outages.
Black-hat hackers may have compromised Hyundai Motor Group or the Hyundai partners in order to disclose the data.
KIA America officially declared on February 17th, 2018, that there had been NO cyberattack, including ransomware.
The Miilk team stated that they are awaiting Hyundai Motor America’s formal answer.
How are Kias made?
In 1998, Hyundai Motor Group made the decision to buy the automaker in order to keep it viable. Although Kia and the Hyundai Motor Group are separate companies, Kia Motors is a subsidiary of Hyundai. The distinction between Kia and Hyundai is that each brand has its own brand philosophies to build its vehicles in a distinctive manner.
What is DoppelPaymer?
DoppelPaymer is a ransomware-like piece of software created to encrypt files and prohibit users from accessing them. Victims are urged to pay ransom to cybercriminals in order to regain access. According to research, criminals employ DoppelPaymer in their targeted assaults.
They thereby target particular businesses and/or sectors. Criminals who are after a particular victim frequently try to infiltrate (infect) the entire network (for example, all computers used within a particular company). Each encrypted file created by this ransomware has the “.locked” extension added to its filename.
“1.jpg,” for instance, becomes “1.jpg.locked.” A.txt file with a ransom note is attached to each encrypted file. For instance, “1.jpg.readme2unlock.txt” contains the message for “1.jpg.locked,” and so on. Newer versions of this ransomware encrypt files with the “.doppeled” extension.
The same phrase is used in all ransom communications to warn victims not to turn off or restart their computers, change or delete encrypted files or ransom messages, or attempt to restore files using different software. Cybercriminals claim that these actions could result in the permanent loss of data.
The victims must download the Tor browser and click a link that is provided in each generated ransom message in order to receive instructions on how to decrypt their data. Victims are informed that they have seven days to use the link before it expires. Furthermore, it is claimed that the cost of decryption would be reduced the sooner victims get in touch with DoppelPaymer’s developers.
The aforementioned link launches a Tor website where victims can engage in online chat with cybercriminals. Below is a screenshot of the Tor website that was produced as a result of cybercriminals targeting Ohio Gratings Inc.
Typically, ransomware like DoppelPaymer encrypts files with powerful algorithms, making it impossible for victims to decode data without specialized tools that are only available to the ransomware’s creators. Unfortunately, even while cybercriminals may possess these tools, they rarely transmit them; instead, victims who pay are frequently taken advantage of.
Restoring them from a backup is typically the sole free option for recovering files without the use of tools bought from cybercriminals (provided is was not also encrypted). Even after victims remove ransomware from the machine, files remain locked. Simply said, removing this spyware stops any additional encryption.
Message on a screen urging customers to pay a ransom to unlock their encrypted data
Nvram, Major, and Lokf are three further instances of ransomware-like software. The majority of the time, it’s made to encrypt data and produce or display a ransom note that includes information on how to pay for a decryption tool and/or key. The magnitude of the ransom and the type of cryptographic algorithm (symmetric or asymmetric) used by ransomware to encrypt data are two common distinctions.
Unless the application includes vulnerabilities, flaws, etc., the majority of malware programs use strong encryption making it hard to decrypt files without tools owned only by the ransomware developers. As a result, retain a copy of your data on an unplugged storage device or remote server.
Which automobiles are hackable?
Ford F-150, Dodge Ram 1500, Chevy Silverado, Toyota Rav4, Honda CRV, Nissan Rogue, Chevrolet Equinox, Toyota Camry, Honda Civic, and Toyota Corolla are among the top ten most hackable car models, according to Consumer Watchdog. Tesla was ranked as the most hackable vehicle in the world by Consumer Watchdog.
How can I turn off the Internet in my car?
There are three ways for users to leave a car
- Remove from all phones, applications, and gadgets the ability to connect with the vehicle.
- Renew any satellite radio, OnStar, or similar subscriptions if you have any.
- Alternate all passwords right away.