As yet, Kia Motors America has publicly acknowledged an “extended system outage,” but ransomware gang Doppel Paymer claimed it has locked down the company’s files in a cyber-attack that includes a $20m ransom demand
The Doppel Paymer ransomware gang claims credit for Kia’s outage, demands $20m in double-extortion attack.
That $20m will gain Kia a decryptor & a guarantee to not to publish sensitive data bits on the gang’s leak site.
Hyundai Motor America
The ransom note from Doppel Paymer, 1st published by Bleeping Computer, said the attack was on Hyundai Motor America, the parent company of Kia Motors America, based in Irvine, Calif.
It went on to say that the company has 2 to 3 weeks to pay up 404 Bitcoins, which is around $20m as of this writing. To add a sense of urgency, the threat players warn that a delay in payment could result in the ransom being raised to $30m.
The outage affected Kia’s mobile apps like Kia Access with UVO Link, UVO e-Services & Kia Connect, as well as self-help portals & customer support, the company told the outlet in a statement, adding, “We are also aware of online speculation that Kia is subject to a ‘ransomware” attack. At this time, we can confirm that we have no evidence that Kia or any Kia data is subject to a ‘ransomware’ attack.”
Kia outlined that the UVO app & owner’s portal are now operational & added that there is still have no evidence of a ransomware attack.
Kia Customers Out in the Cold
While Kia is not disclosing details about the cause of the interruption, Kia customers have noticed & are taking to social media to try & find answers.
Over the weekend social-media posts described the fallout of the outage felt by Kia customers, particularly those in the midst of extreme winter weather conditions who were unable to access features like remote start on their cars because the app was down.
“Coldest day of the year and my #kia #uvo app doesn’t work,” Twitter user @big2mo wrote on Feb. 13. “The server is not responding.”
Another Twitter user, @trustartz, posted this, tagging Kia, “Perfect weather for my @Kia access not to work,” he wrote. “At the time I actually need it.”
The Kia Motors account responded with this vague apology, without much detail, on Feb. 15, days after the first reports of outages started to emerge on Feb. 13.
”We apologize we are having server issues that may affect your ability to login to the UVO app or send commands. We are working to resolve it as quickly as possible. An update will be provided as soon as possible. Thank you for your patience.
— Kia Motors America (@Kia) February 15, 2021”
Andrea Carcano, Co-Founder of Nozomi Networks, outlined ransomware attacks like these are becoming commonplace & that this looks a lot like other Dopple Paymer attacks he has seen.
Critical IT Operations
“Doppel Paymer & others are immensely more profitable when they target large organizations & disrupt their critical IT operations – in this case, KIA’s mobile UVO Link apps, payment systems, owner’s portals & internal dealership sites,” Carcano commented.
Groups Doppel Paymer are experts at figuring out how to cause their victims the most pain to get them to pay up, Erich Kron from KnowBe4 explained.
“In this case, the attack has impacted many significant IT systems, including those needed for customers to take delivery of their newly purchased vehicles. This could cost the organisation a considerable amount of money as well as reputational damage with current & potential customers,” Kron observed.
Beyond damaging critical operations, ransomware threat-players have learned how to add on the pressure to companies, threatening that their most sensitive stolen data could be exposed on well-known leak sites if they don’t pay up fast. This tactic is known as double-extortion.
“Like so many modern types of ransomware, Doppel Paymer not only cripples the organisation’s ability to conduct business, but also extracts sensitive data that is used for leverage against the victim, in an effort to get them to pay the ransom,” Kron explained.
Regulatory & Other Fines
“Unfortunately, with very few exceptions, once the data has left the organisation, a data breach has occurred, & the organisation will be subject to regulatory & other fines as a result. Even if the data is not published publicly, it will most likely be sold eventually or traded on the dark web.”
Kron added these breaches most often occur with social-engineered attacks, such as spearphishing.
“Doppel Paymer, like most other ransomware strains, is generally spread through phishing emails, so organisations should ensure employees are trained to spot & report the suspicious emails that could potentially be used to attack them,” he recommended.
“Combining ongoing training & regularly scheduled simulated phishing tests, is extremely effective in preparing employees to defend against these types of attacks.”
Besides expanding cyber-security training for employees, Trevor Morgan, Product Manager for Comforte AG recommends companies like Kia take steps to protect their most sensitive data before a breach happens.
“The ironic thing is that enterprises can avoid the threat of leaked hijacked data simply by taking a data-centric approach to protecting sensitive information,” Morgan suggested.
“Using tokenisation or format-preserving encryption, businesses can obfuscate any sensitive data within their data ecosystem, rendering it incomprehensible no matter who has access to it. These reports should all be treated as cautionary tales, as an enterprise might find themselves in the same boat without the proper data-centric approach.”