A DoppelPaymer ransomware attack, along with an offer for a 404 bitcoin ($20 million) ransom payment, allegedly hit Kia Motors America Inc. The attack first appeared earlier this week with a national information technology outage across Kai’s North American business, as stated. Kia’s mobile UVO Link app, phone services, payment systems, payment systems, owner portal, and internal pages used by dealerships have been disrupted by the outage. A ransom note sent to Kia reportedly suggested that it was a ransomware double-tap attack in which all files were encrypted and stolen.

Ransomware, what is it?

Ransomware is described as vicious malware which, unless a sum of money or ransom is paid, locks users out of their devices or blocks access to files. Ransomware attacks cause downtime, lack of knowledge, potential infringement of intellectual property, and an intrusion is called a data breach in many industries.

Kia Motors America was the first to alert consumers via its website that some of its services, including internal, consumer, and distributor systems, had an IT system outage affecting them. Few disruptions were also reported by Hyundai Motor America later but seem to be less affected. “Since Saturday, Kia Motors America, Inc. (Kia) has experienced an extended system outage, but can confirm that the UVO app and the owner’s portal are now operational,” Kia told on Thursday in a release.

In the note, if payment for a decryption tool is not obtained, the DoppelPaymer gang threatens to publish the stolen data within three business days. The risks of releasing stolen data are not hollow: in December, DoppelPaymer hit Hon Hai Precision Industry Co., best known as Foxconn, with stolen files eventually released on the dark web, the shady corner of the internet where illegal activity is frequently carried out when it failed to pay up. “Big Brother” manufacturer Endemol Shine and Mexican state-owned petroleum corporation Petróleos Mexicanos are among the previously identified DoppelPaymer ransomware attacks.

Kia Denies Ransomware Attack

Kia Motors America indicated that a malware attack was not the obvious cause of a prolonged outage of services involving the IT systems of the car dealer. All began with an error message. The outage began on February 13 when the Kia Owners Portal went offline, according to Bleeping Computer, and showed the following error message:

“We are now facing an outage of IT systems that have damaged some internal networks. Our clients are our highest priority, and we are working to rapidly fix the problem”.

The Kia Owners Portal is a website where Kia automotive owners can book an appointment with a dealer, shop information about their insurance and/or registration, and more.

Nozomi Networks co-founder Andrea Carcano said that such ransomware attacks are becoming widespread and that this looks a lot like other DopplePaymer attacks he has seen. In this situation, KIA’s smartphone UVO Connect applications, payment systems, owner portals, and internal dealership pages,” Carcano said, “DoppelPaymer and others are immensely more profitable when attacking major companies and undermining their vital IT operations.

Erich Kron from KnowBe4 clarified that organizations like DoppelPaymer are specialists at working out how to cause their victims the most misery to force them to pay up. In this case, many critical IT systems, including those required for consumers to take delivery of their newly-acquired cars, have been disrupted by the attack. This may cost the company of existing and future clients a large amount of cash as well as reputational harm, Kron said.

The users get blocked when they want to access one of these files, and the system administrator who gets notified by the user notices two files in the directory that say the ransom files are taken, and how to pay the ransom to unlock the files. New strains and variations come and go into the “business” as the muscle of new cyber mafias. Cybercriminals use tactics that are continually changing to get around conventional defenses. Ryuk, Dharma, Bitpaymer, and SamSam are several big strains. This is a criminal business model that is very effective. According to a study by Cybersecurity Ventures, annual ransomware-induced expenses are expected to reach $20 billion by 2021.

To stay current, cybercriminals actively exploit social engineering to update their ransomware themes. The FBI variant, the Internal Revenue Service, and, unfortunately, now COVID-19 pandemic-themed ransomware are some themes. Cyber attackers are now introducing unique methods of spreading ransomware in addition to updating themes. This includes selling strains such as “Dot” or “Philadelphia” from Ransomware-as-a-Service (RaaS), where if you infect two other companies, they sell the files back for free. On YouTube, there are also promo ads for certain strains of ransomware.

In reaction to a security event such as a ransomware attack, some organizations might be tempted to pull in and not give the public more details. In doing so, they may believe they are shielding their credibility from additional damage. But, they are also leaving numerous other organizations exposed to the same intimidating actors.

Not all strategies have sufficient levels of defense, however. In reality, indicators that rely on Vulnerability Indicators are ineffective against ransomware gangs such as DoppelPaymer, who constantly come up with new ways to attack organizations.   That’s why companies need solutions that depend on Indicators of Behavior (IOBs) instead of as a way of surfacing threats never seen before to remedy sooner, even though an attack is totally specific to the networks of the target and there are no Indicators of Compromise available to use in protection.


  1. https://www.knowbe4.com/ransomware
  2. https://securityboulevard.com/2021/02/kia-motors-america-ransomware-not-behind-extended-systems-outage-2/
  3. https://www.infosecurity-magazine.com/news/kia-denies-ransomware-attack/
  4. https://www.industryweek.com/technology-and-iiot/article/21155484/kia-motors-told-to-pay-up-in-latest-ransomware-attack
  5. https://threatpost.com/kia-motors-ransomware-attack/164085/
  6. https://www.securityweek.com/carmakers-kia-and-hyundai-say-no-evidence-ransomware-attack