Honda’s Customer Service and Financial Services were apparently hit by a ransomware attack recently. Kaspersky found samples in the VirusTotal database that make it appear that the company was targeted by the Snake ransomware. This incident made me think about what we can learn from how Honda was targeted to better protect Windows networks from ransomware attacks.
Kaspersky indicated that the malware was launched using a file called nmon.bat. Calling a malicious file with the .bat extension means that alert tools would see that a scriptable or batch file was used in the network. In many environments this would be an allowed file.
The attackers used a file named KB3020369.exe in the attack. This is interesting since the Microsoft Knowledgebase number 3020369 is for a Windows 7 servicing stack patch. However, the file name of the actual patch is not KB3020369.exe, but Windows6.1-KB3020369-x64.msu. The attackers named malicious files in a pattern to “hide in plain sight” from the technology professionals.
The Snake ransomware removes Volume Shadow Copies from infected systems and then kills processes including those related to virtual machines, industrial control systems, remote management tools, and network management software. The attack sequence was built to resolve domains inside the Honda domain, as third-party researchers noted in an analysis of the attack. This indicates the attackers targeted the Honda network.