Kia Motors has suffered a ransomware attack by the DoppelPaymer gang. The gang demanding $20 million for a decryptor and not to leak stolen data and given 2-3 weeks if the company does not negotiate with the threat actors. Cybersecurity experts commented below on the danger of ransomware.
8 Responses
<p>Ransomware continues to be a global cybersecurity threat. In the business of cybercrime, ransomware takes the top spot since it has a high ROI by holding the victims\’ ransom for financial payment. Cybercriminals will of course continue to focus their efforts on this revenue-generating stream as we’re now seeing with the DoppelPaymer gang targeting Kia. During 2021, we will definitely see cyber-criminal individuals and groups try to maximize their return of investment with their attacks, whether it’s targeting high-value individuals and/or large enterprise organizations like a car company. The key message here is no one person or industry is exempt from the ransomware threat and it requires constant focus, assessment and review to ensure you and your critical information assets remain safeguarded and protected against it.</p>
<p>This is an example of how disruptive ransomware can be, even for the largest organizations. Cybercriminals, such as those in the DoppelPaymer gang responsible for this attack, have honed their skills to create the most mayhem and disruption possible, in an effort to demand these incredibly high ransoms.</p> <p> </p> <p>In this case, the attack has impacted many significant IT systems, including those needed for customers to take delivery of their newly-purchased vehicles. This could cost the organization a considerable amount of money as well as reputational damage with current and potential customers.</p> <p> </p> <p>Like so many modern types of ransomware, DoppelPaymer not only cripples the organization\’s ability to conduct business but also extracts sensitive data that is used for leverage against the victim, in an effort to get them to pay the ransom. Unfortunately, with very few exceptions, once the data has left the organization, a data breach has occurred, and the organization will be subject to regulatory and other fines as a result. Even if the data is not published publicly, it will most likely be sold eventually or traded on the dark web.</p> <p> </p> <p>DoppelPaymer, like most other ransomware strains, is generally spread through phishing emails, so organizations should ensure employees are trained to spot and report the suspicious emails that could potentially be used to attack them. Combining ongoing training and regularly scheduled simulated phishing tests, is extremely effective in preparing employees to defend against these types of attacks.</p>
<p>The alert warns a \"HUGE\" amount of data was exfiltrated from Kia Motors America. This is usually a sign the hackers were in the system for a long time, e.g. the hackers had a long \"dwell-time.\" (Dwell-time is the amount of time during which an attack goes undetected.) According to one report from Booz Allen Hamilton, cybersecurity dwell times may last between 200-250 days before discovery.</p> <p> </p> <p>Hackers are going to use some mechanism to enter or systems, be it phishing, social engineering, weak passwords, default admin passwords, etc. They might even be a trojan horse inside a legitimate agent (e.g. SolarWinds). The logical defense is to detect their actions once they penetrate the system. We know that in the Kill Chain, the attacker is going to attempt lateral movement and escalation of privileges. This is the point where we have to identify and stop the attack. </p> <p> </p> <p>One key mitigation method is enforcing the NIST PR.AC-6 principle of least privilege and attest to every privilege escalation to key security groups that legitimate users and hackers attempt. Organizations need to adopt solutions that force an immediate review of the account escalation attempts using IT audit and security access review products.</p>
<p>Cybercriminals are becoming more sophisticated and, as they do, they are becoming bolder. They are targeting large enterprises, stealing files before encrypting them, and demanding multi-million-dollar ransoms to prevent the destruction or release of the captive data. The attack on Kia is just another example of this trend. It highlights that organizations need to do more to protect their environments, through both improved user education as so many attacks come through phishing or social engineering, and technical means such as security analytics. Eventually, the international law enforcement community will have to step up and deal with these cybercriminal gangs. Until that happens, these criminal businesses will just continue to operate with near impunity.</p>
<p>The very recent ransomware attack on Kia Motors America demonstrates just how important it is for every organization to rethink data security. Threatened with an imminent leak of stolen data, Kia must now assess just how much sensitive information might be released if they don’t meet the terms of the threat actors. Hopefully they are able to navigate this situation effectively with minimal damage.</p> <p> </p> <p>The ironic thing is that enterprises can avoid the threat of leaked hijacked data simply by taking a data-centric approach to protecting sensitive information. Using tokenization or format-preserving encryption, businesses can obfuscate any sensitive data within their data ecosystem, rendering it incomprehensible no matter who has access to it. These reports should all be treated as cautionary tales, as an enterprise might find themselves in the same boat without the proper data-centric approach.</p>
<p>DoppelPaymer is a problematic strain we have witnessed successfully infiltrating numerous large-scale global organisations in recent times: a strain which is infamous for its initial immense ransom demands, often negotiated to a much smaller amount if the organisation choses to pay.</p> <p> </p> <p>Unfortunately for Kia there is no guarantee that if the ransom is paid, DopplePaymer’s operators shall not leak any sensitive data.</p> <p> </p> <p>Whichever eventuality the company selects, as stressful as the situation will currently be for Kia, for the salvation of the company’s reputation the priority going forward needs to be their clients and shareholders. Communication is key.</p>
<p>Unfortunately, these types of attacks are becoming all too common, DoppelPaymer and others are immensely more profitable when they target large organisations and disrupt their critical IT operations – in this case, KIA’s mobile UVO Link apps, payment systems, owner\’s portals, and internal dealership sites. These ransomware scenarios should be factored into an organisation’s incident response and business continuity plans. Beyond a technical response, decision makers need to be prepared to weigh the risks and consequences of alternate actions. Ransomware threat actors typically rely on spear phishing links or vulnerable public services to gain initial entry into a network. Afterward, they move laterally to gain access to as many nodes of the network as possible, allowing them to increase the magnitude of the disruption. Cybersecurity best practices such as strong segmentation, user training, proactive cyber hygiene programs, multi-factor authentication and the use of continuously updated threat intelligence, should be used to protect IT and operational environments from ransomware.</p>
<p>If news reports are accurate, Kia Motors has long since passed the panic mode in dealing with a massive ransomware attack that has affected operations for more than five days. From afar, it appears the attackers have taken Kia Motors to its knees. Think about the scale of the problem for a company of this size with tens of thousands of employees and thousands of dealerships. Every additional hour and day they are incapacitated is costing the company tens of millions of dollars that will not be recouped. While details are scant at this time, Kia\’s transparency about the attack is extremely important so that as an industry we can understand how the threat actors were successful and what can be done to eliminate the risk in the future. I\’ve said it many times over the years, but at some point these wide-scale and massive cyber attacks will be a wake up call for companies to improve their security posture and roll out around the clock threat hunting services to increase the likelihood malicious activity can be uncovered in the beginning stages of an attack and stopped before material losses occur.</p>