Honda halts production at some plants after being hit by a cyberattack

Honda halted manufacturing at some of its plants around the world on Tuesday after being hit by a cyberattack that’s widely reported to be ransomware.

“Honda has experienced a cyberattack that has affected production operations at some US plants,” the automaker told Ars. “However, there is no current evidence of loss of personally identifiable information. We have resumed production in most plants and are currently working toward the return to production of our auto and engine plants in Ohio.”

Bloomberg News reported on Tuesday evening that production was suspended at car factories in Ohio and Turkey as well as at motorcycle plants in India and South America. The company, according to Bloomberg, was working to fix systems. The news outlet also said that Japanese operations weren’t affected and that other Honda plants in the United States have already resumed manufacturing.

As Bleeping Computer reported earlier, the outage came to light around the same time that a security researcher using the Twitter handle milkream posted a link to VirusTotal. It showed someone had recently submitted a sample of the Snake ransomware malware that checked for the subdomain mds.honda.com.

While DNS records show that the address isn’t reachable on the Internet, researchers presume it’s a network name that’s reachable only inside of Honda’s internal network. Frequently, researchers say, ransomware is programmed to lock data belonging to a specific target. The speculation is that the reference to mds.honda.com was a mechanism to prevent the inadvertent encrypting of data outside of Honda corporate network. If correct, it wouldn't be the first time Honda has paused production as a result of a ransomware infection. In 2017, the car manufacturer shut a plant in Japan after reportedly finding evidence the WannaCry ransomware worm infected parts of its network.

Ransomware attacks have grown to become one of the Internet’s top malware scourges. In the first five months of this year, there have been 74 distinct attacks, according to this summary from security firm BlackFog. More than half of them hit US-based organizations. Organizations in manufacturing, government, education, and professional services were the most common victims.

Some ransomware operators have started a new tactic to increase pressure for victims to pay ransoms. Besides threatening to lock the rightful owners out of their data, the operators auction off the unencrypted data on Dark Web sites. Information put up for sale include cash-flow analyses, distributor data, business insurance content, vendor information, and scanned images of driver’s licenses belonging to people in the company’s distribution network.

Honda has said that it has no evidence any personally identifying data was accessed in the attack, but it’s not clear that kind of access would be obvious in the immediate aftermath of a ransomware attack.