On June 8, 2020, reports emerged detailing a network outage impacting Honda as a result of a possible ransomware attack.
An observed EKANS (SNAKE) ransomware sample (d4da69e424241c291c173c8b3756639c654432706e7def5025a649730868c4a1) uploaded to VirusTotal from Japan on June 8, 2020, that attempts to contact the domain mds[.]honda[.]com, which is likely an internal Honda domain. If the DNS request to this domain does not resolve then the sample does not execute. Analysts also observed this same tactic used in the recent Fresenius EKANS ransomware attack, which attempts a DNS query to ads[.]fresenius[.]com and compares the resolved domain to a private IP address.
Today, Honda confirmed that a cyber attack was the cause of the identified network issues. The company said that the incident was affecting its ability to access computer servers and use email. Honda also confirmed that the attack has had an impact on production systems outside of Japan.
EKANS ransomware emerged in mid-December 2019. While relatively straightforward as a ransomware sample in terms of encrypting files and displaying a ransom note, EKANS features additional functionality to forcibly stop a number of processes, including multiple items related to ICS operations. While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static “kill list” shows a level of intentionality previously absent from ransomware targeting the industrial space. ICS asset owners and operators are therefore strongly encouraged to review their attack surface and determine mechanisms to deliver and distribute disruptive malware, such as ransomware, with ICS-specific characteristics.