After a cyberattack in early June left motor manufacturing giant Honda unable to function, it is reportedly still investigating the incident, although few details have yet been released. The company had only just restarted operations in Europe and the US after the coronavirus lockdown when it suddenly has to face a new threat – a ransomware attack. The attack seems to have begun on Sunday, June 7, when the company issued a brief statement:
Honda can confirm that a cyber attack has taken place on the Honda network. We can also confirm that there is no information breach at this point in time. Work is being undertaken to minimize the impact and to restore full functionality of production, sales and development activities. At this point, we see minimal business impact.[1]
It also later admitted, in a statement to the BBC, that ‘the problem was affecting its ability to access its computer servers, use email and otherwise make use of its internal systems.’ It added, ‘There is also an impact on production systems outside of Japan.’[2]
Apart from the statement, Honda has remained tight-lipped about the incident, leaving it to security researchers to try to piece together what happened. Code samples from the attack, shared online to Virus Total by a researcher, were analyzed by Malwarebytes Labs. They discovered that the samples fitted the profile for the Snake ransomware – also known as EKANS (Snake spelled backward).
We tested the ransomware samples publicly available in our lab by creating a fake internal server that would respond to the DNS query made by the malware code with the same IP address it expected. We then ran the sample alleged to be tied to Honda against Malwarebytes Nebula, our cloud-based endpoint protection for businesses. We detect this payload as ‘Ransom.Ekans’ when it attempts to execute.[3]
Snake ransomware first hit the headlines when it was discovered by MalwareHunterTeam and reverse-engineered by Vitali Kremez. Kremez found that Snake zeros in on a system and first removes Shadow Volume Copies. It then kills a list of processes, especially those related to ICS (industrial control systems).[4] Unlike other ransomware, Snake still allows computers to boot up and for the users to log in and access applications. However, the ransomware also encrypts all data files so that administration and customer service functions are also blocked. It then leaves a ransom note on the ‘C’ drive detailing how a decryption key may be obtained.
In this latest attack, and a contiguous attack on a company belonging to Enel Argentina, it appears that the ransomware specifically targeted those companies. More research on new samples by FortiGuard found that:
… EKANS has been designed to deliberately select its victims. The malware will try to confirm its target by resolving the domain belonging to the victim company and comparing this information to IP lists. If the target status is not confirmed, the routine exits.[5]
The threat actors behind the malware seem to have calculated what the downtime would cost Honda and measured it against the cost of the ransom (which does not appear to have been paid in this case).[6] Of course, it could have been even worse. Many ransomware strains also exfiltrate data before it is encrypted and threaten to sell it online if the ransom is not received. There is no evidence that this has happened with Honda. In fact, the company issued a statement to that there was ‘no current evidence of loss of personally identifiable information.’[7]
How the ransomware got into the Honda network is also unknown at the time of writing. However, in an interview with CPO Magazine, Oz Alashe, the chief executive of cyber risk company Cybsafe, speculated that Honda may have been vulnerable to a ransomware attack due to some of its workforce working from home during the pandemic.[8] Malwarebytes also suspects that the infection may have entered Honda’s network via RDP (remote desktop protocol). Both Honda and Enel had machines with publicly accessible RDP – an attack route favored by bad actors as it is easy to exploit.[9] Nevertheless, it could just as easily have got through using a phishing email.
The attack also demonstrated that Honda’s cybersecurity may not have been as tight as it should have been. As Chris Kennedy, CISO at AttackIQ explains:
The fact that the ransomware affected global operations, inclusive of factory operations, is an indicator their network may not be segmented and isolated in a way to prevent ‘jumps’ between different business functions.[10]
Many of Honda’s operations are now working again, with a Tweet on June 22 announcing that their customer services and financial services were ‘back up and running.’[11] Nevertheless, the time and cost taken to get services back online again – as well as the loss of sales – will have hit Honda hard financially, and no doubt it will be looking at ways to improve its security to ward off any future attacks.
——-
[1] ‘Honda Suffers Major Global Cyber Attack,’ Engineering and Technology, 06/10/2020, accessed at https://eandt.theiet.org/content/articles/2020/06/honda-suffers-global-cyber-attack/#:~:text=In%20a%20statement%2C%20the%20firm,production%2C%20sales%20and%20development%20activities.
[2] Joe Tidy, ‘Honda’s Global Operations Hit by Cyber-attack,’ BBC News, 06/09/2020, accessed at https://www.bbc.co.uk/news/technology-52982427
[3] ‘Honda and Enel Impacted by Cyber Attack Suspected to be Ransomware,’ Malwarebytes Labs, 06/09/2020, accessed at https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/
[4] ‘EKANS Ransomware and ICS Operations,’ Dragos, 02/03/2020, accessed at https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/
[5] Charlie Osborne, ‘This is How EKANS ransomware is Targeting Industrial Control Systems,’ ZDNet, 07/02/2020, accessed at https://www.zdnet.com/article/this-is-how-ekans-ransomware-is-targeting-industrial-control-systems/
[6] Kelly Shridan, ‘ICS Threat Snake Ransomware Suspected in Honda Attack,’ Darkreading, 06/11/2020, accessed at https://www.darkreading.com/attacks-breaches/ics-threat-snake-ransomware-suspected-in-honda-attack/d/d-id/1338075
[7] Coutneu Linder, ‘Honda Shuts Down Factories After Cyberattack,’ Popular Mechanics, 06/11/2020, accessed at
[8] Byron Mühlberg, ‘Honda Ransomware Attack a Lesson in Segmentation, CPO Magazine, 22/06/2020, accessed at https://www.cpomagazine.com/cyber-security/honda-ransomware-attack-a-lesson-in-segmentation/
[9] ‘Honda and Enel Impacted by Cyber Attack Suspected to be Ransomware,’ Malwarebytes Labs, 06/09/2020, accessed at https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/https://www.popularmechanics.com/technology/security/a32825656/honda-cybersecurity-attack/
[10] Byron Mühlberg, ‘Honda Ransomware Attack a Lesson in Segmentation, CPO Magazine, 22/06/2020, accessed at https://www.cpomagazine.com/cyber-security/honda-ransomware-attack-a-lesson-in-segmentation/
[11] https://twitter.com/HondaCustSvc/status/1275076236331511808?s=20
SAYA University is the multi-lingual “netflix of cybersecurity” that produces original e-learning programming in a variety of languages. Saya University is on a global mission to ensure every employee in the world has access to the tools that will heighten cybersecurity knowledge. When a company is serious about protecting its organization against cyber-attacks, it will invest in cybersecurity learning for all its employees. With over 7 billion people on planet earth, we have a lot of work to do. Our multi-language e-Learning platform offers the world’s most cutting edge knowledge in cybersecurity, data privacy and compliance all in one place.