Carmaker Honda Motor Co. has been forced to halt production in some global factories following a successful cyberattack.

The form of the attack, not detailed by Honda and described today only as a virus, involved Snake ransomware, according to cybersecurity researchers. Because of the attack, production in Japan, the U.S., Turkey, India and Brazil ceased on Monday, though some of the plants have since come back online. Honda’s global email and other systems were also affected along with its customer service and financial services arms.

Honda said that it has no evidence that data had been stolen in the attack.

Snake ransomware, also known as Ekans, was discovered in 2019. It removes a targeted computer’s Shadow Volume Copies and then kills numerous processes related to SCADA (short for supervisory control and data acquisition) systems, virtual machines, industrial control systems, remote management tools, network management software and more.

It then proceeds to encrypt the files across all connected devices. The targeting of industrial control systems is particularly relevant given that Honda plants were shut down following the attack.

A report from Tripwire in May noted that a new Snake ransomware campaign had been detected that was targeting organizations around the world. One victim of a Snake ransomware attack was Fresenius SE & Co. KGaA, Europe’s largest private hospital operator, which was targeted May 6.

“This attack appears to be a ransomware attack associated with the Snake cybercrime group as samples of malware the check for an internal system name and public IP addresses related to Honda have surfaced publicly on the internet,” Chris Clements, vice president of Solution Architecture at IT service management company Cerberus Cyber Sentinel Corp., told SiliconANGLE. “The malware exits immediately if associations with Honda are not detected. This strongly implies that this was a targeted attack rather than a case of cybercriminals spraying out ransomware indiscriminately.”

Even more concerning, he said, is that the Snake ransomware team has historically attempted to steal sensitive information before encrypting their victim’s computers. “This combined with the targeted nature of the malware’s ‘pre-checks’ indicates that the attackers likely had access to Honda’s internal systems for some time before launching the ransomware’s encryption functions,” he said.

Patrick Hamilton, cybersecurity evangelist with security awareness training firm Lucy Security AG, noted that the ransom note is written in nearly perfect English, rare for threat actors. “The threat uses sophisticated marketing psychology — almost like reading a friendly message from Amazon,” Hamilton explained. “How did venomous malware infiltrate such a tightly controlled organization? Probably email — the path of least resistance anywhere. It seems like a stroll through the park and instantly turns into a treacherous swamp.”

Chloé Messdaghi, vice president of strategy at information security firm Point3 Security Inc., said the story is a  reminder of the importance of enterprise security. “We’ve all seen global corporations put strong security stacks in place and even so, fall victim to ransomware and a major takeaway is: Train and invest in your security team,” Messgadhi said. “It’s more important than ever to prevent security team burnout, which can easily happen given talent shortages, skills gaps and the unique pressures the current pandemic is presenting.”

This isn’t the first Honda has been hit by a ransomware attack. The company was forced to shut down a manufacturing plant briefly in 2017 after being infected by the WannaCry ransomware.

Photo: Pixnio