KIA logo on a bumper of new car in showroom showing impact of DoppelPaymer ransomware attack

Kia Motors America Suffers a $20 Million Suspected DoppelPaymer Ransomware Attack

Automaker Kia Motors America (KMA) suffered a suspected DoppelPaymer ransomware attack affecting internal and customer-facing systems.

The ransomware gang claimed responsibility for the attack and demands $20 million worth of Bitcoin to decrypt files and not leak the sensitive data online.

However, the Irvine, California-based automaker denied that it was subject to a ransomware attack. It however acknowledged the extended system outage that left some customers without heating, according to BleepingComputer.

KIA core systems were shut down by a suspected DoppelPaymer ransomware attack

KIA nationwide system outage affected its Mobile UVO link apps, payment services, phone services, owner portal, and dealerships’ internal systems.

Buyers said they received information from dealerships that they could not pick up their cars because of a system outage caused by a ransomware attack.

The company acknowledged the outage affecting dealer and customer-facing systems and promised that it was working to resolve the issue.

Bleeping Computer obtained a ransomware note generated by DoppelPaymer ransomware threat actors during the attack. The ransomware gang claimed to have attacked KIA’s parent company Hyundai Motor America. The ransomware attack victim page referred to “Hyundai Motor America,” according to BleepingComputer.

DoppelPaymer threatened to publish the exfiltrated data within 2-3 weeks if KMA failed to negotiate a settlement. The ransom would also increase the ransom from the current 404 Bitcoins worth about $20 million to 600 Bitcoins worth about $30 million.

Kia Motors America and Hyundai deny any DoppelPaymer ransomware attack

Kia Motors America acknowledged experiencing an extended systems outage that affected systems, including the Kia Owner Portal, UVO Mobile Apps, and the Consumer Affairs Web portal.

The company apologized for any inconvenience to affected customers, including those depending on the remote start and heating features, promising to restore the affected systems as quickly as possible.

“We are aware of online speculation that Kia is subject to a ransomware attack. At this time, and based on the best and most current information, we can confirm that we have no evidence that Kia or any Kia data is subject to a ransomware attack,” the company’s statement read.

Hyundai also experienced system outages, similar to those experienced by its subsidiary, Kia motors. Its internal systems and dealer sites were rendered unreachable, but the company denied the disruption originating from any ransomware attack.

DoppelPaymer ransomware gang operates on the double extortion policy by threatening to publish the stolen data online if the victim refuses to pay the ransom. Past victims include PEMEX (Petróleos Mexicanos), Bretagne Télécom, the City of Torrance in California, Hall County in Georgia, Foxconn, Newcastle University, Compal, and Banijay Group SAS.

DoppelPaymer ransomware group has not disclosed the type of data allegedly stolen from Kia and Hyundai Motors. However, the disruptions appear too coincidental to be just random technical glitches.

Perhaps Kia and Hyundai intend to cover up the ransomware attack, or DoppelPaymer ransomware operators wished to capitalize on the outage to improve their “street cred.”

Every successful ransomware attack carries a huge reputational cost to the affected companies. Consequently, it’s not uncommon for organizations to initially deny such attacks, only to acknowledge them later when the media attention subsides.

“This is an example of how disruptive ransomware can be, even for the largest organizations,” says Erich Kron, security awareness advocate at KnowBe4. “Cybercriminals, such as those in the DoppelPaymer gang responsible for this attack, have honed their skills to create the most mayhem and disruption possible, in an effort to demand these incredibly high ransoms.”

Kron added that the attack “impacted many significant IT systems, including those needed for customers to take delivery of their newly-purchased vehicles,” costing the company not only revenues but also “reputational damage with current and potential customers.”

Trevor Morgan, product manager at comforte AG, says:

“The very recent ransomware attack on Kia Motors America demonstrates just how important it is for every organization to rethink data security. Threatened with an imminent leak of stolen data, Kia must now assess just how much sensitive information might be released if they don’t meet the terms of the threat actors. Hopefully, they are able to navigate this situation effectively with minimal damage.”

“The alert warns a “HUGE” amount of data was exfiltrated from Kia Motors America,” says Garret Grajek, CEO at YouAttest. “This is usually a sign the hackers were in the system for a long time, e.g. the hackers had a long dwell-time (dwell-time is the amount of time during which an attack goes undetected). According to one report from Booz Allen Hamilton, cybersecurity dwell times may last between 200-250 days before discovery.”

Grajek noted that the attackers use social engineering tactics like phishing, compromise weak passwords, and default admin passwords among others.

“They might even be a Trojan horse inside a legitimate agent (e.g. SolarWinds). The logical defense is to detect their actions once they penetrate the system. We know that in the Kill Chain, the attacker is going to attempt lateral movement and escalation of privileges. This is the point where we have to identify and stop the attack.”

#Ransomware gang demanded 404 Bitcoins worth about $20 million in exchange for a decryptor and not to publish the stolen data online. #cybersecurity #respectdataClick to Tweet

Grajek says that “enforcing the NIST PR.AC-6 principle of least privilege” would prevent privilege escalation during attacks.

“Organizations need to adopt solutions that force an immediate review of the account escalation attempts using IT audit and security access review products.”