DopplePaymer hits Kia America

8640797885?profile=RESIZE_400xAutomaker Kia Motors America (KMA) is the latest victim of the DoppelPaymer ransomware, which allegedly affected internal and customer-facing systems.  The ransomware criminal gang admitted responsibility for the attack and is demanding $20 million worth of Bitcoin to decrypt files and not leak the sensitive data online.  However, the US California-based automaker denied that it was subject to a ransomware attack.  It however acknowledged the extended system outage that left some customers without service.[1] 

KIA nationwide system outage affected its Mobile UVO link apps, payment services, phone services, owner portal, and dealerships’ internal systems.  Buyers said they received information from dealerships that they could not pick up their cars because of a system outage caused by a ransomware attack.  The company acknowledged the outage affecting dealer and customer-facing systems and promised that it was working to resolve the issue.  Researchers obtained a ransomware note generated by DoppelPaymer ransomware threat actors during the attack.  The ransomware gang claimed to have attacked KIA’s parent company Hyundai Motor America.  The ransomware attack victim page referred to “Hyundai Motor America.”  DoppelPaymer threatened to publish the exfiltrated data within 2-3 weeks if KMA failed to negotiate a settlement.  The ransom would also increase the ransom from the current 404 Bitcoins worth about $20 million to 600 Bitcoins worth about $30 million.  Kia Motors America acknowledged experiencing an extended systems outage that affected systems, including the Kia Owner Portal, UVO Mobile Apps, and the Consumer Affairs Web portal.

Kia publicly apologized for any inconvenience to affected customers, including those depending on the remote start and heating features, promising to restore the affected systems as quickly as possible.

Hyundai also experienced system outages, similar to those experienced by its subsidiary, Kia motors. Its internal systems and dealer sites were rendered unreachable, but the company denied the disruption originating from any ransomware attack.

DoppelPaymer ransomware gang operates on the double extortion policy by threatening to publish the stolen data online if the victim refuses to pay the ransom.  Past victims include PEMEX (Petróleos Mexicanos), Bretagne Télécom, the City of Torrance in California, Hall County in Georgia, Foxconn, Newcastle University, Compal, and Banijay Group SAS.  DoppelPaymer ransomware group has not disclosed the type of data allegedly stolen from Kia and Hyundai Motors. However, the disruptions appear too coincidental to be just random technical glitches.  Perhaps Kia and Hyundai intend to cover up the ransomware attack, or DoppelPaymer ransomware operators wished to capitalize on the outage to improve their “street cred.”

Every successful ransomware attack carries a huge reputational cost to the affected companies.  Consequently, it is not uncommon for organizations to initially deny such attacks, only to acknowledge them later when the media attention subsides.

The attack “impacted many significant IT systems, including those needed for customers to take delivery of their newly-purchased vehicles,” costing the company not only revenues but also “reputational damage with current and potential customers.”

comforte AG, says:  “The very recent ransomware attack on Kia Motors America demonstrates just how important it is for every organization to rethink data security. Threatened with an imminent leak of stolen data, Kia must now assess just how much sensitive information might be released if they don’t meet the terms of the threat actors. Hopefully, they are able to navigate this situation effectively with minimal damage.”

Red Sky Alliance is   a   Cyber   Threat   Analysis   and   Intelligence Service organization and has been following the DopplePaymer group for a while.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or  

Weekly Cyber Intelligence Briefings: 


E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!