The ‘EKANS/SNAKE’ virus, designed to attack industrial control systems network, has hit Honda, causing some of its global operations to come to a standstill. The company confirmed that it was facing technical difficulties in a tweet. Its abilities to access its computer servers, use e-mail and make use of its internal systems were affected.
Brett Callow, a threat analyst at security firm Emsisoft, uploaded a sample of the file-encrypting malware to VirusTotal, a malware analysis service. It referenced an internal Honda subdomain, mds.honda.com. “The ransomware will only encrypt files on systems capable of resolving this domain but, as the domain does not exist on the clear net, most systems would not be able to resolve it. mds.honda.com may well exist on the internal nameserver used by Honda’s intranet, so this is a fairly solid indicator that Honda was indeed hit by Snake,” said Callow.
Security researcher Vitali Kremez said that it also contained a reference to the U.S. IP address 170.108.71.15. This IP address resolves to the ‘unspec170108.amerhonda.com‘ hostname. The reference to the IP address and the internal hostname strongly hints that it was a SNAKE ransomware attack. Honda stated that no breach of information had taken place. Most of the production resumed by Tuesday but its plants at Ohio, Brazil, Turkey, Italy and India are still under suspension.
“No breach of information” but you still had to shut operations in Ohio, Brazil, Turkey, Italy and India.