The Apparent Hackers Behind Kia’s Ransomware Attack Are Demanding Millions in Bitcoin

A report by information security news site Bleeping Computer seems to solidify that theory, as the publication shared a screenshot of an alleged ransom note asking Kia for the hefty sum of $20,000,000 to decrypt its files.

The infection is believed to be the work of a group called DoppelPaymer by Crowdstrike researchers in 2019. Such threat actors routinely hunt big game for large payouts, according to a security bulletin released by the FBI late last year. The note left behind mentions that the malware not only encrypted live data, but also the company's backups, which more sophisticated attacks of this nature often do to prevent an easy restoration.

To make matters worse, it also claims to have exfiltrated a large amount of data along with the hack which it says it will release within three weeks.  It's not clear what kind of data was exfiltrated by the attackers, however, the note claims that it was a "huge amount" of it, and the number of Kia's online services that were affected does elude to the possibility of a broad net being cast into Kia's network. In more simple terms, these alleged attackers stole a bunch of stuff out of Kia's house and then locked the doors to some of the bedrooms inside. 

After reaching out to Kia multiple times, The Drive finally received an answer on the matter. A Kia spokesperson confirmed that Kia is "experiencing an extended systems outage," though it does not mention the nature of the outage. It also downplays the ransomware attack allegations shared by Bleeping Computer.

"Kia Motors America, Inc. is currently experiencing an extended systems outage," a Kia spokesperson told The Drive via email. "Affected systems include the Kia Owners Portal, UVO Mobile Apps, and the Consumer Affairs Web portal. We apologize for any inconvenience to affected customers and are working to resolve the issue as quickly as possible with minimal interruption to our business."

The spokesperson added: "We are also aware of online speculation that Kia is subject to a 'ransomware' attack. At this time, we can confirm that we have no evidence that Kia or any Kia data is subject to a 'ransomware' attack."

Having said that, the report on Bleeping Computer indicates detailed notes from these purported attackers. The attackers apparently used a Protonmail email address to communicate and display a web page on Tor, an encrypted peer-to-peer network that promotes anonymity, complete with an online chat function in case they need support to pay the ransom. At the time of this writing, the hackers were requesting 404.5412 Bitcoin, which equates to roughly $20.9 million. But the message also warns that as they take longer to pay, the fee goes up, ending in 600 Bitcoin ($31 million) should the automaker not pay up within nine days.

Screenshots of the actual notes have been published by Bleeping Computer and can be viewed here. It's also worth noting that DoppelPaymer is the same malware that was responsible for exfiltrating and encrypting data from Visser, a defense contractor and parts manufacturer for both Tesla and SpaceX, just last year.

Meanwhile, Kia's key connected services remain offline, meaning customers are unable to pay their car loans, remotely start their vehicles, or other functions using Kia's infrastructure. Dealerships also appear to be affected by the outage. One dealership we spoke with acknowledged that there was malware in-play and also mentioned that they couldn't process customer orders or even look up detailed information on check engine light codes.

So while Kia denies that this was, in fact, a cyberattack, the data uncovered here may prove otherwise. Regardless of what happened, it's a nasty headache for the automaker that comes at a pretty inopportune time. As we noted previously, it means that many Kia owners may be unable to remotely unlock their vehicles or warm them up during an especially nasty winter storm hitting much of the country this week. 

Got a tip? Send us a note: tips@thedrive.com