Ransomware Attack Leaves Honda Stuck in Park
 

A ransomware attack took down portions of Honda Motor Co. this week, locking up systems and halting vital manufacturing operations in several countries.

Over the weekend, Honda shut down factories in Japan, Europe and the U.S., after becoming aware of a cyberattack across its worldwide network, according to a Honda U.S. spokesman.[1]

According to the BBC, work was halted at operations in Japan, North America, the U.K., Turkey and Italy.[2] In a social media post, Honda also noted disruptions to customer service and Honda Financial Services.[3] According to some media reports, Honda indicated that many business processes were affected, but that some plants had been able to resume production.[4]

SNAKE/EKANS Ransomware Blamed

While Honda gave no details on the origin of the attack, reports suggest that it is caused by the SNAKE ransomware, also known as EKANS (Snake spelled backwards), which appears specifically geared to compromising industrial control systems (ICS), said Carl Wearn, Head of E-Crime at Mimecast.

“EKANS has a limited capability to shut down some processes, and brute-forces compromise to exfiltrate and then encrypt information to hold for ransom,” he said.

Wearn noted that the speed which the attack compromised the company and encrypted its data suggests that the attack was likely carried out by a criminal group as opposed to nation-state actors, which typically take a more long-term approach that seeks to infiltrate systems and extract data unnoticed.

Though Honda didn’t provide details of how the attack occurred, email phishing or hacking vulnerable unpatched systems are suspected, Wearn said. Another delivery method recently favored by ransomware threat actors has been exploit kits, which are placed on websites and seek to automatically exploit existing vulnerabilities in browsers or plug-ins.

It is possible that Honda was specifically targeted, but it’s more likely that the company fell victim to a wide-ranging campaign targeting manufacturing in general, said Wearn. Cyber criminals have shown an “intense focus on this vertical throughout recent months,” he said.

Ransomware generally encrypts all available data on a system and network in order to hold it to ransom and significantly disrupt the business until payment is made. The fact that the SNAKE/EKANS ransomware impacts Honda’s core manufacturing operations would add to the pressure to pay the ransom, Wearn said.

“The disruption to ICS processes is obviously an enhancement that aids coercion to force payment,” he said. Assuming that the attack was in fact carried out by a criminal group, “I would expect a demand to have been made, with threats to release data online if not paid promptly.”

The timing was unfortunate for the automaker, whose business has already been impacted by the COVID-19 pandemic and the ensuing lockdown.[5] The Japanese industrial conglomerate makes nearly 32 million vehicles a year—cars, motorcycles and other vehicles—at factories in all five continents.[6]

A Broader Ransomware Resurgence

Honda’s attack is part of a wave of ransomware attacks that have plagued organizations worldwide in recent months, affecting both large and smaller organizations. Multiple industries have been affected, including healthcare organizations, which have experienced a growing volume of ransomware attacks. Among organizations surveyed for Mimecast’s State of Email Security 2020, 51% said they had suffered a ransomware attack that impacted business operations during the past 12 months, causing an average of three days of downtime.

The insurance company Beazley also reported recently that ransomware attacks were up 25% year over year during the first quarter of 2020.[7] The FBI’s Internet Crime Complaint Center had previously warned that the complexity of the attacks is on the rise, saying they are becoming “more targeted, sophisticated and costly.” [8]

“Ransomware is a huge ongoing threat which can only be mitigated significantly by taking adequate cybersecurity and resiliency measures before the fact, including offline back-ups, and the use of email and file fallback capabilities,” said Wearn. Increasing user awareness through cybersecurity training may also help to make employees less likely to click on dangerous links or attachments as well as multiple layers of prevention.

The FBI has published a list of best practices to help organizations fight off ransomware attacks, including: [9]

• Regularly clean and store data offline
• Configure access to data with the least privilege in mind
• Focus on security awareness and training your employees
• Patch all vulnerabilities as they are discovered
• Implement application whitelisting

The Bottom Line

As the Honda attack shows, ransomware attacks remain a high risk for organizations in all industries, including manufacturing. Appropriate cybersecurity and resiliency measures can help cyber criminals’ hands off your data.

[1] “Honda Puts Some Manufacturing on Hold Over Computer Disruption” NBCNews.com, June 8, 2020

[2] “Honda’s Operations Hit by Cyber Attack” BBC.com, June 9 2020

[3] Twitter, June 8

[4] “Honda pauses production and closes offices following ransomware attack,” The Verge

[5] Consolidated Financial Summary for the Fiscal 4th Quarter and The Fiscal Year Ended March 31, 2020” Honda IR Press release, May 12. 2020

[6] “Company Overview”

[7] “The Enduring Threat of Ransonware” Beazley Breach Insights, June 9, 2020

[8] “High-Impact Ransomware Attacks Threaten  U.S. Businesses and Organizations”  FBI alert, October 2, 2019

[9] “High-Impact Ransomware Attacks Threaten  U.S. Businesses and Organizations”  FBI alert, October 2, 2019