Kia Motors has suffered a ransomware attack by the DoppelPaymer gang. The gang demanding $20 million for a decryptor and not to leak stolen data and given 2-3 weeks if the company does not negotiate with the threat actors. Cybersecurity experts commented below on the danger of ransomware.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>Ransomware continues to be a global cybersecurity threat. In the business of cybercrime, ransomware takes the top spot since it has a high ROI by holding the victims\’ ransom for financial payment. Cybercriminals will of course continue to focus their efforts on this revenue-generating stream as we’re now seeing with the DoppelPaymer gang targeting Kia. During 2021, we will definitely see cyber-criminal individuals and groups try to maximize their return of investment with their attacks, whether it’s targeting high-value individuals and/or large enterprise organizations like a car company. The key message here is no one person or industry is exempt from the ransomware threat and it requires constant focus, assessment and review to ensure you and your critical information assets remain safeguarded and protected against it.</p>
<p>This is an example of how disruptive ransomware can be, even for the largest organizations. Cybercriminals, such as those in the DoppelPaymer gang responsible for this attack, have honed their skills to create the most mayhem and disruption possible, in an effort to demand these incredibly high ransoms.</p> <p> </p> <p>In this case, the attack has impacted many significant IT systems, including those needed for customers to take delivery of their newly-purchased vehicles. This could cost the organization a considerable amount of money as well as reputational damage with current and potential customers.</p> <p> </p> <p>Like so many modern types of ransomware, DoppelPaymer not only cripples the organization\’s ability to conduct business but also extracts sensitive data that is used for leverage against the victim, in an effort to get them to pay the ransom. Unfortunately, with very few exceptions, once the data has left the organization, a data breach has occurred, and the organization will be subject to regulatory and other fines as a result. Even if the data is not published publicly, it will most likely be sold eventually or traded on the dark web.</p> <p> </p> <p>DoppelPaymer, like most other ransomware strains, is generally spread through phishing emails, so organizations should ensure employees are trained to spot and report the suspicious emails that could potentially be used to attack them. Combining ongoing training and regularly scheduled simulated phishing tests, is extremely effective in preparing employees to defend against these types of attacks.</p>
<p>The alert warns a \"HUGE\" amount of data was exfiltrated from Kia Motors America. This is usually a sign the hackers were in the system for a long time, e.g. the hackers had a long \"dwell-time.\" (Dwell-time is the amount of time during which an attack goes undetected.) According to one report from Booz Allen Hamilton, cybersecurity dwell times may last between 200-250 days before discovery.</p> <p> </p> <p>Hackers are going to use some mechanism to enter or systems, be it phishing, social engineering, weak passwords, default admin passwords, etc. They might even be a trojan horse inside a legitimate agent (e.g. SolarWinds). The logical defense is to detect their actions once they penetrate the system. We know that in the Kill Chain, the attacker is going to attempt lateral movement and escalation of privileges. This is the point where we have to identify and stop the attack. </p> <p> </p> <p>One key mitigation method is enforcing the NIST PR.AC-6 principle of least privilege and attest to every privilege escalation to key security groups that legitimate users and hackers attempt. Organizations need to adopt solutions that force an immediate review of the account escalation attempts using IT audit and security access review products.</p>
<p>Cybercriminals are becoming more sophisticated and, as they do, they are becoming bolder. They are targeting large enterprises, stealing files before encrypting them, and demanding multi-million-dollar ransoms to prevent the destruction or release of the captive data. The attack on Kia is just another example of this trend. It highlights that organizations need to do more to protect their environments, through both improved user education as so many attacks come through phishing or social engineering, and technical means such as security analytics. Eventually, the international law enforcement community will have to step up and deal with these cybercriminal gangs. Until that happens, these criminal businesses will just continue to operate with near impunity.</p>
<p>The very recent ransomware attack on Kia Motors America demonstrates just how important it is for every organization to rethink data security. Threatened with an imminent leak of stolen data, Kia must now assess just how much sensitive information might be released if they don’t meet the terms of the threat actors. Hopefully they are able to navigate this situation effectively with minimal damage.</p> <p> </p> <p>The ironic thing is that enterprises can avoid the threat of leaked hijacked data simply by taking a data-centric approach to protecting sensitive information. Using tokenization or format-preserving encryption, businesses can obfuscate any sensitive data within their data ecosystem, rendering it incomprehensible no matter who has access to it. These reports should all be treated as cautionary tales, as an enterprise might find themselves in the same boat without the proper data-centric approach.</p>