Honda Ransomware Attack



For the third time in just twelve months, Honda has again fallen victim to a cybersecurity breach. Unlike the incidents in July and December 2019, there’s no suggestion that this latest attack has exposed customer data or sensitive commercial information. Despite this, it has inflicted widespread disruption on the firm’s global manufacturing operations and has led to the suspension of entire business units, including Honda Customer Services and Honda Financial Services.


Following a report by the BBC, the Japanese car-maker confirmed on June 8th that it had been hit by a cyberattack, which is understood to have disrupted manufacturing operations in the company’s home country, as well the United Kingdom, North America, Turkey and Italy. Analysis of code snippets posted online suggests that the SNAKE / EKANS ransomware family might lie at the centre of this latest high-profile attack.


First widely seen in January 2020, EKANS’ mode of operation is a familiar one. Once deployed onto a host system, it begins to systematically encrypt critical business data before eventually alerting the systems’ owner and demanding payment in return for the decryption key. Unlike most ransomware in circulation however, EKANS has been designed with a very specific mission in mind: to target and disrupt industrial control system (ICS) environments, such as those upon which manufacturing plants are entirely dependent.


The key to EKANS’ specificity is the inclusion of a so-called ‘kill list’: a list of system processes which it seeks to disable, before starting to encrypt files. This kill list is hard coded into the EKANS malware and includes several processes which are specific to supervisory control and data acquisition (SCADA) systems, industrial control systems, network management tools and so on. In short, this is ransomware designed to bring automated industrial facilities to a standstill.


It’s perhaps not surprising, therefore, that samples of the ransomware from the June 8th attack have been found to contain code aimed specifically Honda’s systems. Indeed, early analysis suggests that this variant of EKANS was designed to activate only if it could successfully resolve the hostname ‘mds.honda.com’.


It isn’t entirely clear just yet how the ransomware infiltrated Honda’s systems, but a common entry point for EKANS is via an insecure remote desktop protocol (RDP) connection. Industry sources provide some evidence that Honda had left this particular door open.


There is every indication that Honda responded to the attack promptly, with a clear strategy designed to limit the spread of the ransomware and minimise disruption to their business. The fact that news of the incident has reached front pages and industry blogs worldwide, however, shows the potential for such attacks to inflict both financial and reputational damage.


As firms have moved swiftly to safeguard business continuity during the global lockdown, this has presented cyber attackers with an unmissable opportunity to exploit vulnerabilities in those systems and in users who are unfamiliar with security considerations around remote working.


To combat this determined and opportunistic threat, organisations should take extra care to ensure that their systems are properly configured and protected:

- RDP connections should be secured and monitored at all times

- Threat detection and prevention software should be deployed, monitored and updated across all business systems (noting that ransomware gangs often seek to introduce malware by exploiting vulnerabilities in systems that are deemed low priority and low risk)

- Offline data backups should be maintained so that, even in the event of widespread data loss from operational systems, recent and clean backups are available



Staff should be trained to recognise and respond to some of the risks associated with remote working – particularly the increase prevalence of social engineering attacks using common techniques such as phishing, whaling, covert redirects and business e-mail compromise.


In addition, organisations should ensure that they have a clear and effective incident response strategy, which can be deployed immediately a threat is detected. Ransomware gangs act quickly but robust security, monitoring, detection and effective response can significantly mitigate the threat.


If you need expert advice or assistance to ensure that your business is properly protected against cyber threats, or if you need help in dealing with an urgent incident, call us on +44 2030 393 395 or email incident@marclay.co.uk