DoppelPaymer ransomware gang claims credit for Kia’s outage, demands $20 million in double-extortion attack.
So far, Kia Motors America has publicly acknowledged an “extended system outage,” but ransomware gang DoppelPaymer claimed it has locked down the company’s files in a cyberattack that includes a $20 million ransom demand.
That $20 million will gain Kia a decryptor and a guarantee to not to publish sensitive data bits on the gang’s leak site.
The ransom note from DoppelPaymer, first published by BleepingComputer, said the attack was on Hyundai Motor America, the parent company of Kia Motors America, based in Irvine, Calif. It went on to say that the company has two to three weeks to pay up 404 Bitcoins, which is around $20 million as of this writing. To add a sense of urgency, the threat actors warn that a delay in payment could result in the ransom being raised to $30 million.
The outage affected Kia’s mobile apps like Kia Access with UVO Link, UVO eServices and Kia Connect, as well as self-help portals and customer support, the company told the outlet in a statement, adding, “We are also aware of online speculation that Kia is subject to a ‘ransomware” attack. At this time, we can confirm that we have no evidence that Kia or any Kia data is subject to a ‘ransomware’ attack.”
Kia told Threatpost that the UVO app and owner’s portal are now operational and added that there’s still have no evidence of a ransomware attack.
Kia Customers Out in the Cold
While Kia is not disclosing details about the cause of the interruption, Kia customers have noticed and are taking to social media to try and find answers.
Over the weekend social-media posts described the fallout of the outage felt by Kia customers, particularly those in the midst of extreme winter weather conditions who were unable to access features like remote start on their cars because the app was down.
“Coldest day of the year and my #kia #uvo app doesn’t work,” Twitter user @big2mo wrote on Feb. 13. “The server is not responding.”
Another Twitter user, @trustartz, posted this, tagging Kia, “Perfect weather for my @Kia access not to work,” he wrote. “At the time I actually need it.”
The Kia Motors account responded with this vague apology, without much detail, on Feb. 15, days after the first reports of outages started to emerge on Feb. 13.
“We apologize we are having server issues that may affect your ability to login to the UVO app or send commands. We are working to resolve it as quickly as possible. An update will be provided as soon as possible. Thank you for your patience.”
We apologize we are having server issues that may affect your ability to login to the UVO app or send commands. We are working to resolve it as quickly as possible. An update will be provided as soon as possible. Thank you for your patience. ^TS
— Kia Motors America (@Kia) February 15, 2021
Andrea Carcano, co-founder of Nozomi Networks, said ransomware attacks like these are becoming commonplace and that this looks a lot like other DopplePaymer attacks he has seen.
“DoppelPaymer and others are immensely more profitable when they target large organizations and disrupt their critical IT operations – in this case, KIA’s mobile UVO Link apps, payment systems, owner’s portals and internal dealership sites,” Carcano said.
Groups like DoppelPaymer are experts at figuring out how to cause their victims the most pain to get them to pay up, Erich Kron from KnowBe4 explained.
“In this case, the attack has impacted many significant IT systems, including those needed for customers to take delivery of their newly purchased vehicles. This could cost the organization a considerable amount of money as well as reputational damage with current and potential customers,” Kron said.
Beyond hobbling critical operations, ransomware threat actors have learned how to add on the pressure to companies, threatening that their most sensitive stolen data could be exposed on well-known leak sites if they don’t pay up fast. This tactic is known as double-extortion.
“Like so many modern types of ransomware, DoppelPaymer not only cripples the organization’s ability to conduct business, but also extracts sensitive data that is used for leverage against the victim, in an effort to get them to pay the ransom,” Kron explained. “Unfortunately, with very few exceptions, once the data has left the organization, a data breach has occurred, and the organization will be subject to regulatory and other fines as a result. Even if the data is not published publicly, it will most likely be sold eventually or traded on the dark web.”
Kron added these breaches most often occur with social-engineered attacks, like spearphishing.
“DoppelPaymer, like most other ransomware strains, is generally spread through phishing emails, so organizations should ensure employees are trained to spot and report the suspicious emails that could potentially be used to attack them,” he said. “Combining ongoing training and regularly scheduled simulated phishing tests, is extremely effective in preparing employees to defend against these types of attacks.”
But besides expanding cybersecurity training for employees, Trevor Morgan, product manager for comforte AG recommends companies like Kia take steps to protect their most sensitive data before a breach occurs.
“The ironic thing is that enterprises can avoid the threat of leaked hijacked data simply by taking a data-centric approach to protecting sensitive information,” Morgan said. “Using tokenization or format-preserving encryption, businesses can obfuscate any sensitive data within their data ecosystem, rendering it incomprehensible no matter who has access to it. These reports should all be treated as cautionary tales, as an enterprise might find themselves in the same boat without the proper data-centric approach.”
Is your small- to medium-sized business an easy mark for attackers?
Threatpost WEBINAR: Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.