Ride the Lightning

Kia Motors America Reportedly Hit by Ransomware: Denies the Report

February 22, 2021

BleepingComputer reported on February 17 that Kia Motors America had suffered a ransomware attack by the DoppelPaymer gang, demanding $20 million for a decryptor and a promise not to leak stolen data.

Kia Motors America (KMA) has nearly 800 dealers in the US is headquartered in Irvine, California, and is a Kia Motors Corporation subsidiary.

On February 16, BleepingComputer noted that Kia Motors America was suffering a nationwide IT outage affecting their mobile UVO Link apps, phone services, payment systems, owner’s portal, and internal sites used by dealerships.

When visiting their sites, users saw a message stating that Kia is “experiencing an IT service outage that has impacted some internal networks.”

In a ransom note seen by BleepingComputer, the attackers state that they attacked Hyundai Motor America, Kia’s parent company. Hyundai does not appear to be affected by this attack.

The ransom note contains a link to a private victim page on the DoppelPaymer Tor payment site that once again states the target is ‘Hyundai Motor America.’

The Tor victim page says that a “huge amount” of data was stolen from Kia Motors America which will be released in 2-3 weeks if the company does not negotiate with the threat actors.

DoppelPaymer is well known for stealing unencrypted files before encrypting devices and then posting portions on their data leak site to pressure victims into paying the ransom.

To prevent the leak of the data and receive a decryptor, DoppelPaymer reportedly demanded 404 bitcoins worth approximately $20 million. If the ransom is not paid within a specific time frame, the amount increases to 600 bitcoins, or $30 million.

The theft of unencrypted files is now a widely used tactic by ransomware groups to pressure victims to pay, with Emsisoft stating it has affected more than 1,300 companies globally.

“Globally, more than 1,300 companies, many US-based, lost data including intellectual property and other sensitive information. Note, this is simply the number of companies which had data published on leak sites and takes no account of the companies which paid to prevent publication,” states Emsisoft’s 2020 State of Ransomware report.

In an update reported from multiple sources on February 17, Kia said: “We are aware of online speculation that Kia is subject to a ransomware attack. At this time, and based on the best and most current information, we can confirm that we have no evidence that Kia or any Kia data is subject to a ransomware attack.” Kia did acknowledge an extended systems outage.

TechRepublic reported on February 19 that the absence of details from Kia and Hyundai on the outage is raising a red flag.

“There are still no details shared from Kia on the source of the outage, declaring that it was a general network issue and not ransomware related,” Kevin Dunne, president at application security provider Greenlight, told TechRepublic. “However, DoppelPaymer is still actively declaring that they have Kia’s data under ransom. The lack of communication from Kia on another cause of the outage is concerning and does not build great credibility to users that their data is truly safe.”

The underlying cause of the outage is still officially unknown. But if the source was a third-party supplier, then a company like Kia would disclose that fact and keep pressure on the supplier to fix the problem, Dunne said. Further, the lack of a clear root cause this many days into the outage raise more questions than answers and does point to an attack from bad actors, Dunne added.

The truth tends to come out, so I’ll keep monitoring the situation.

Hat tip to Dave Ries.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email:  Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson