Hospital-busting hacker crew may be behind ransomware attack that made Honda halt car factories, say researchers

Updated Japanese car maker Honda has been hit by ransomware that disrupted its production of vehicles and also affected internal communications, according to reports.

The ransomware, of an as-yet unidentified strain, appeared to have spread through the multinational firm's network. A Honda spokesman told the media it appeared to have "hit the company's internal servers."

Some Honda factories around the world were forced to suspend production, though output from Turkey, India, USA and Brazil locations remain on hold at the time of writing.

At this time Honda Customer Service and Honda Financial Services are experiencing technical difficulties and are unavailable. We are working to resolve the issue as quickly as possible. We apologize for the inconvenience and thank you for your patience and understanding.

— Honda Automobile Customer Service (@HondaCustSvc) June 8, 2020

Sky News reported yesterday that Honda's networks began to suffer "issues" on Monday, and that "the company believed it was the result of unauthorised attempts to breach its systems."

A Honda spokesbeing told several outlets: "We can confirm some impact in Europe and are currently investigating the exact nature."

Another statement from the firm today added: "Work is being undertaken to minimise the impact and to restore full functionality of production, sales and development activities."

In the meantime, multiple researchers have suggested the culprit was Ekans, with one Milkr3am, posting screenshots on Twitter of a sample submitted to VirusTotal today that checks for the internal Honda network name of "mds.honda.com".

Professor Alan Woodward of the University of Surrey told El Reg: "With a just-in-time system you need only a small outage in IT to cause a problem. As it happens I think Honda have recovered quite quickly. A few countries' facilities are still affected but they seem to be coming back very fast, which suggests they had a good response plan in place."

The speed at which the malware spread in Honda's network indicates that some the company has centralised functions, "the usual culprits are finance," he added.

"Virus Total seem[s] to suggest it might even be a modified version of Ekans, which would suggest a very targeted attack. Not your usual scatter gun approach... If that's the case, this malware does actually have some elements which are tailored to attack ICS so it may be that some of their production facilities were affected directly."

"Ekans is a derivative of Snake - it's the name of the ransomware. It is unusual in that it is one of the few pieces of ransomware that has ability to target industrial control systems. It was used with devastating consequences against a German firm not long ago," he explained.

Threat analysis outfit Dragos published a summary of Ekans’ operations back in February, highlighting its targeting of industrial control systems (ICSes). The firm said: “While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static ‘kill list’ shows a level of intentionality previously absent from ransomware targeting the industrial space.” The Ekans sample analysed by Dragos kills system processes on the target machine, those processes including antivirus, database backup suites and ICS processes. An analyst added that Ekans’ ransomware must be launched “either interactively or via script to infect a host”.

The malware is already in the wild and so could have been launched by anyone, said Professor Woodward. But he said it appears "targeted as Virus Total [is] suggesting that it may have been specially modified to access Honda servers and penetrate network that way."

He added: "I'm impressed at how fast Honda are recovering. They obviously learned from when they were whacked with Wannacry."

If correct, this would suggest the same hacker crew targeted Honda as the one that hit a German hospital group called Fresenius some weeks ago. The operator of Ekans appears to be fairly new on the ransomware scene. ®

Updated at 19:13 BST on 9 June 2020 to add:

Honda can confirm that a Cyber Attack has taken place on the Honda network. We can also confirm that there is no information breach at this point in time. Work is being undertaken to minimise the impact and to restore full functionality of production, sales and development activities. At this point, we see minimal business impact.