This June, Honda, one of the world’s leading carmakers, announced that it had halted production. Yet this wasn’t another temporary closure brought about by the COVID-19 pandemic. This time the culprit was a ransomware cyberattack. The attack primarily shut down the company’s financial and customer services, though it also affected automotive production in plants such as the one in Ohio, USA.

Forensic analysis_

To discover the malware at the root of the Honda incident, investigators turned to VirusTotal, a free portal for the individual scanning of files and web pages which we talked about in our post on Yara rules. Here they found a sample of the ransomware Snake (EKANS) that specifically targeted the automobile company. This was clear when researchers tried to analyze the malware. It would start and immediately exit without encrypting any files, as it tries and fails to resolve the “mds.honda.com” domain, given that it can’t detect it. There were other indications of the intended victim of the threat: It also contains a reference to the U.S. IP address 170.108.71.15. This IP address resolves to the ‘unspec170108.amerhonda.com’ hostname.

Snake ransom note provided by the cybersecurity researcher milkcream .

Yet this hasn’t been the only cybersecurity incident to affect Honda recently. In July 2019, in what may have been a precursor to the Snake attack, the researcher Justin Paine discovered,  through Shodan, the search engine for inter-connected devices, an Elasticsearch database containing information about 300,000 company employees, including the CEO. The list apparently referenced a table called “uncontrolled machines”, referring to Honda computers without security software installed. Paine noted that beyond the incident itself, exposing a list of unprotected computers could enable adversaries to use these as points of entry for future attacks. Which is why this could have been how Snake managed to infiltrated the system.

Known yet dangerous_

Some cybersecurity experts believe that Snake is a strain of ransomware with unique characteristics, as once it has entered systems, it seeks out IT processes related to business management tools, as well as industrial control systems (ICS).

This makes it particularly dangerous, and it has previous form for this. As we mentioned earlier when reporting the Interserve cyberattack, hospitals and their suppliers have become a frequent target during the COVID-19 pandemic. Snake also played a part in this, as last May it attacked Fresenius, Europe’s largest private hospital operator. Although Fresenius explained that there was no impact on hospitals themselves, the production of its pharmaceutical division may have been affected, which was in high demand in the continent given the ongoing health crisis.

Prevention, zero-trust, and sound data management policies _

To counter this type of ransomware attack, organizations should keep in mind three fundamental factors based on awareness, technological solutions, and appropriate policies. These factors are:

  • Prevention: Awareness of threats and the implementation of good cybersecurity practices among employees is always the first firewall in an organization. To this end, as the Snake attack on Fresenius underlines, the current pandemic has notably increased the number of cyberattacks using social engineering with COVID as bait, or that target telecommuters with less protection than they would have within the office perimeter. That’s why we should all be taking special precautions, such as being wary of suspicious emails or web domains.
  • Zero-trust: Although prevention and awareness measures are necessary, on their own they are not enough to counter increasingly sophisticated cyberattacks using ransomware such as Ryuk. That’s why CISOs should also have an endpoint prevention solution, able to detect any known or unknown malware, and based on a zero-trust approach to prevent any file from running until it is classified as trusted, and which covers all possible entry vectors, including emails and web browsers
  • Appropriate data management policy: If a ransomware incident does occur, blocking some of your systems, your organization will be far less exposed if an appropriate data policy is in place to prevent information encrypted by malware from blocking key services or causing serious losses. Over and above compliance with the GDPR, it is best to have secure cloud architecture and technological solutions that monitor all files in search of personal or sensitive data on endpoints and servers