Global automotive manufacturer Honda has temporarily shutdown all of its worldwide operations due to an apparent network issue. Although Honda is staying tight lipped, various sources are reporting that Honda is currently battling an ongoing cyber attack.
Experts suspect that Honda is dealing with a particular strain of ransomware called the SNAKE infection. This virus gets its name from the metadata it leaves behind after it encrypts files on a device. For example, if you had a TXT file that was impacted by this virus, the file extention would change from TXT to EKANS.
What is the SNAKE Virus?
As you can see, EKANS spelled backwards is SNAKE. This particular strand of malware has successfully bypassed several of the more popular antivirus suites. Unlike other computer viruses, the SNAKE infection is particularly nasty because it doesn’t just doesn’t encrypt files on one device. The virus actively seeks out other vulnerable devices on the network and attampts to encrypt as many files on these devices as possible.
To further complicate matters, some variants of the snake ransomware attempt to destroy backups, shadow copies and active snapshots of your virtual servers making it nearly impossible to rapidly recover.
While Honda is choosing to neither confirm or deny that it has been impacted by this specific cyber attack, automobiles have not been manufacturered by Honda since June 6th 2020. Honda released a statement saying that it was choosing to shut down all manufacturing operations while it attempts resolve these outstanding network issues.
Was Honda Targetted?
Experts say that the alleged malware infection specifically targeted Honda’s industrial control system infrastructure bringing its manufacturing operations to a complete standstill. Cyber security researchers say that this specific virus leaves behind a text file with instructions on how to decrypt the impacted files.
Staying true to its name, victims must pay the ransom in order to receive access back to their files. Hackers have become very sophisticated in this endeavor considering the fact that they’ve even setup a help desk to let impacted organizations send over test files that will be decrypted as a gesture of good will. These service desks are designed to assist the victims while making them feel at ease about paying the ransom. If the help desk can decrypt a few sample files, the victim might be more comfortable in paying the ransom.
Cyberthreats Haunt Large Organizations
Honda is just the latest example of a large organization that has potentially fallen victim to a cyber attack. Most people believe that a large organization would be better equipped to mitigate a cyber attack but that isn’t always true. The bigger an organization’s network, the larger attack surface they must manage.
When you think about the fact that many organizations let their IT staff have the weekends off, many hackers use this time to actively scan public facing systems in order to find vulnerablities to exploit. If no one is available to immediately respond to an attack, the infection can silently spread and cripple any other devices before the IT staff is able to formulate a response.
Other organizations have also fallen victim to the SNAKE attack. In fact, one of the largest healthcare systems in Europe recently reported that it networks became compromised by the infection.
What Are Honda’s Options?
If Honda is indeed dealing with the SNAKE infection, it has a few options at it’s disposal. The easiest option would be if their system administrators are able to restore their files from a usable backup.
Most computer scientists suggest that you should have multiple backups on different storage mediums stored in different geographical locations. While this is generally accepted as a best practice for data backups, even large organizations have been known to not follow best practices.
Will Honda Pay the Ransom?
If server backups are not immediately available, perhaps Honda can restore from backups stored on another medium such as magnetic media. Otherwise, Honda may be forced the pay the ransom in order to regain access to its files.
These types of infections provide specific instructions to victims that tell them how they can purchase specific non-tracable cryptocurrencies and send it to the authors in exchange for the encryptions keys that can be used to unlock the files.
If it is deemed that the encrypted files are non-essential to the organization, Honda may simply elect to reimage or rebuild all of its servers and network infrastructure while ensuring that all of the latest patches are installed. Honda’s IT staff must resolve to lock down their networks so that another attack like this can never take place again.
