Honda discontinued production at some of its factories around the world on Tuesday after being hit by a cyber attack that has been widely reported to be ransomware.
"Honda has experienced a cyber attack that has affected production at some US plants," the automaker told Ars. "However, there is currently no evidence of loss of personal information. We have resumed production at most plants and are currently working to return to the production of our auto and engine factories in Ohio. "
Bloomberg News reported Tuesday evening that production at car factories in Ohio and Turkey and motorcycle factories in India and South America was discontinued. According to Bloomberg, the company was working on repairing systems. The news agency also said that Japanese operations were not affected and that other Honda factories in the United States had already resumed production.
As Bleeping Computer previously reported, the outage came to light around the same time that a security researcher using the Twitter handle milk flow posted a link to VirusTotal. It turned out that someone recently submitted an example of the snake ransomware malware that was looking for the mds.honda.com subdomain.
While DNS records show that the address cannot be reached on the Internet, researchers assume that it is a network name that can only be reached within Honda's internal network. According to researchers, ransomware is often programmed to block data from a specific target. Speculation is the reference to mds.honda.com was a mechanism to prevent accidental encryption of data outside of the Honda corporate network. If this is correct, it would not be the first time that Honda stopped production due to a ransomware infection. In 2017, the automaker closed a plant in Japan after reportedly finding evidence that the WannaCry ransomware worm had infected parts of its network.
Ransomware attacks have become one of the most common malware scourges on the Internet. According to this summary, security firm BlackFrog had 74 different attacks in the first five months of this year. More than half of them met organizations based in the United States. Organizations in the areas of production, government, education and professional services were the most common victims.
Some ransomware operators have introduced new tactics to increase the pressure on victims to pay ransom. In addition to the threat of excluding the rightful owners from their data, the operators auction the unencrypted data on dark websites. Information for sale includes cash flow analysis, merchant data, company insurance content, supplier information and scanned images of drivers' licenses in the company's sales network.
Honda has stated that there is no evidence that the personal data attack was accessed, but it is not clear that this type of access would be apparent immediately after a ransomware attack.