Kia denies paying $20 million to hackers after USA network goes down
The company refuses to confirm it was the target of a ransomware attack
Mystery surrounds the cause of Kia's nationwide network outage as both the Korean automaker and its major shareholder Hyundai deny they were the target of a ransomware attack. American owners were prevented from accessing the UVO Link app which provides services like remote lock and unlock and roadside assistance. Around 800 Kia dealers found themselves blocked from all company websites and were unable to carry out recall work, verify warranty information, or even order parts.
Speculation that hackers were behind the outage began when BleepingComputer published a Notepad file claimed to have been received by Hyundai Motor America. The widely-shared note suggests that Kia company data had been encrypted and would not be unlocked unless a payment of $20 million in Bitcoin was sent to DoppelPaymer's Tor website. If payment was not received in 10 days the ransom would rise to $30 million with a follow-up threat that confidential company and customer data would be released if the matter wasn't resolved in 21 days.
The alleged attack comes just three months after the FBI warned about an increase of activity from the extortionists, noting the potential to disrupt critical national infrastructure.
Kia Motors issued a statement which simply said: “We are aware of online speculation that Kia is subject to a ransomware attack. At this time, and based on the best and most current information, we can confirm that we have no evidence that Kia or any Kia data is subject to a ransomware attack.”
The statement contradicts several customer reports via social media that stated Kia dealerships had said they were unable to provide services due to the network being hacked.
"Yo @kia why my mechanic say Kia Motors been hacked? My onboard computer went in for recall and now it’s undrivable? You guys never heard of Nord VPN?" tweeted user @daily_deluxe
On Reddit, u/Hi-Scan-Pro wrote "Kia dealer tech here- we've been unable to access any Kia dealer websites this week. No warranty validation, no technical support, no service information. I've been with Kia for 20 years, there has never been an outage this long. A couple of hours at most, and never affecting all of it at the same time."
The alleged attack on Kia Motors follows the typical modus operandi for DoppelPaymer ransomware attacks. The group has been active since 2017 and is believed to be linked to the INDRIK SPIDER ecrime group that has been committing various forms of wire fraud since 2014. In November 2020 the group netted over $34 million in Bitcoin from Hon Hai Precision Industry Co. Mexico.
Services across the Kia company network are slowly being restored but Kia is refusing to clarify if any money was funneled to the criminal organization, likely out of fear of opening themselves up to future attacks.