Kia Motors America Faces $20 Million Ransomware Demand – Report

South Korean car maker Kia admits it has suffered an “extended systems outage”, but says there is no evidence of ransomware

There are conflicting reports as to whether computers systems in America, belonging to South Korean car maker Kia, have suffered a ransomware attack.

It is being widely reported that Kia Motors America has suffered a ransomware attack by the DoppelPaymer gang, demanding $20 million for decryption and not to leak stolen data.

But in a statement to BleepingComputer, Kia admitted it was suffering from an “extended systems outage” but saw no evidence of a ransomware attack.

ransomware

KIA outage

Kia was most recently in the headlines earlier this month when it and Hyundai denied they were in talks with Apple to develop self-driving cars, despite media speculation.

Kia Motors is part of the Hyundai Motor Group.

BleepingComputer reported on Wednesday that Kia Motors America (KMA) was suffering a nationwide IT outage that has affected its mobile UVO Link apps, phone services, payment systems, owner’s portal, and internal sites used by its 800 dealerships in America.

When visiting their sites, users were met with a message stating that Kia is “experiencing an IT service outage that has impacted some internal networks.”

But a Kia owner tweeted that when they attempted to pick up their new car, a dealership told them that the servers were down for three days due to a ransomware attack.

When BleepingComputer contacted Kia Motors America on Wednesday about these outages and ransomware reports, KMA said it was working on resolving the outage.

“KMA is aware of IT outages involving internal, dealer and customer-facing systems, including UVO,” it reportedly said. “We apologise for any inconvenience to our customers and are working to resolve the issue and restore normal business operations as quickly as possible.”

Ransomware demand

And BleepingComputer reportedly obtained a ransom note that it was told was created during the alleged Kia Motors America cyberattack by the DoppelPaymer ransomware gang.

In a ransom note seen by BleepingComputer, the attackers state that they attacked Hyundai Motor America, Kia’s parent company. Hyundai does not appear to be affected by this attack.

The ransom note reportedly contains a link to a private victim page on the DoppelPaymer Tor payment site that once again states the target is ‘Hyundai Motor America.’

The Tor page also said that a “huge amount” of data was stolen, and that it will be released in 2-3 weeks if the company does not negotiate with the threat actors.

DoppelPaymer is reportedly demanding 404 bitcoins worth approximately $20 million.

Kia response

But Kia contracted BleepingComputer, and stated that it has seen no evidence that it has suffered a ransomware attack.

“Kia Motors America, Inc is currently experiencing an extended systems outage,” the firm said in its statement to BleepingComputer. “Affected systems include the Kia Owners Portal, UVO Mobile Apps, and the Consumer Affairs Web portal.”

“We apologise for any inconvenience to affected customers, and are working to resolve the issue as quickly as possible with minimal interruption to our business,” it reportedly added. “

We are also aware of online speculation that Kia is subject to a ‘ransomware’ attack,” it said. “At this time, we can confirm that we have no evidence that Kia or any Kia data is subject to a ‘ransomware’ attack.”

Global threat

A number of security experts offered their take on the incident, despite Kia refusing to confirm if it was subject to a ransomware attack.

“Ransomware continues to be a global cybersecurity threat,” noted Niamh Muldoon, global data protection officer at OneLogin (onelogin.com). “In the business of cybercrime, ransomware takes the top spot since it has a high ROI by holding the victims’ ransom for financial payment.”

“During 2021, we will definitely see cyber-criminal individuals and groups try to maximize their return of investment with their attacks, whether it’s targeting high-value individuals and/or large enterprise organizations like a car company,” said Muldoon.

“The key message here is no one person or industry is exempt from the ransomware threat and it requires constant focus, assessment and review to ensure you and your critical information assets remain safeguarded and protected against it,” Muldoon concluded.

Skilled attackers

Another security expert warned that the DoppelPaymer gang have spent their time honing their criminal skills.

“This is an example of how disruptive ransomware can be, even for the largest organisations,” said Erich Kron, security awareness advocate at KnowBe4 (knowbe4.com). “Cybercriminals, such as those in the DoppelPaymer gang responsible for this attack, have honed their skills to create the most mayhem and disruption possible, in an effort to demand these incredibly high ransoms.”

“Like so many modern types of ransomware, DoppelPaymer not only cripples the organisation’s ability to conduct business, but also extracts sensitive data that is used for leverage against the victim, in an effort to get them to pay the ransom,” said Kron. “Unfortunately, with very few exceptions, once the data has left the organisation, a data breach has occurred, and the organisation will be subject to regulatory and other fines as a result. Even if the data is not published publicly, it will most likely be sold eventually or traded on the dark web.”

Kron warned that DoppelPaymer, like most other ransomware strains, is generally spread through phishing emails.

Ransom demand

Another expert agreed that any stolen data is unlikely to remain safe, even if a ransom is paid.

“DoppelPaymer is a problematic strain we have witnessed successfully infiltrating numerous large-scale global organisations in recent times: a strain which is infamous for its initial immense ransom demands, often negotiated to a much smaller amount if the organisation chooses to pay,” said Natalie Page, threat intelligence analyst at Talion.

“Unfortunately for Kia there is no guarantee that if the ransom is paid, DopplePaymer’s operators shall not leak any sensitive data,” Page added. “Whichever eventuality the company selects, as stressful as the situation will currently be for Kia, for the salvation of the company’s reputation the priority going forward needs to be their clients and shareholders. Communication is key.”