DoppelPaymer ransomware

SpearTip | February 18th, 2021


According to BleepingComputer, Kia Motors America has suffered a ransomware attack by the DoppelPaymer ransomware group, demanding $20 million for a decryptor and not to leak stolen data. Kia Motors America (KMA) is headquartered in Irvine, California, and is a Kia Motors Corporation subsidiary. KMA has nearly 800 dealers in the USA with cars and SUVs manufactured out of West Point, Georgia. Yesterday, we reported that Kia Motors America was suffering a nationwide IT outage that has affected their mobile UVO Link apps, phone services, payment systems, owner’s portal, and internal sites used by dealerships. When visiting their sites, users are met with a message stating that Kia is “experiencing an IT service outage that has impacted some internal networks,” as shown below.

Details of DoppelPaymer Ransomware Attack

A Kia owner tweeted that when they attempted to pick up their new car, a dealership told them that the servers were down due to a ransomware attack. When we contacted Kia Motors America yesterday about these outages and ransomware reports, KMA told us that they were working on resolving the outage. “KMA is aware of IT outages involving internal, dealer and customer-facing systems, including UVO. We apologize for any inconvenience to our customers and are working to resolve the issue and restore normal business operations as quickly as possible.” – Kia Motors America.

Today, BleepingComputer obtained a ransom note that we were told was created during an alleged Kia Motors America cyberattack by the DoppelPaymer ransomware group. In a ransom note seen by BleepingComputer, the attackers state that they attacked Hyundai Motor America, Kia’s parent company. Hyundai does not appear to be affected by this attack. The ransom note contains a link to a private victim page on the DoppelPaymer Tor payment site that once again states the target is ‘Hyundai Motor America.’

The Tor victim page says that a “huge amount” of data was stolen, or exfiltrated, from Kia Motors America and that it will be released in 2-3 weeks if the company does not negotiate with the threat actors. The DoppelPaymer ransomware is known for stealing unencrypted files before encrypting devices and then posting portions on their data leak site to further pressure victims into paying. To prevent the leak of the data and receive a decryptor, DoppelPaymer is demanding 404 bitcoins worth approximately $20 million. If a ransom is not paid within a specific time frame, the amount increases to 600 bitcoins, or $30 million.

SpearTip’s ShadowSpear® Platform can stop DoppelPaymer ransomware attacks with the memory injection prevention module. The DoppelPaymer ransomware is known to stay dormant inside networks while collecting information before it exfiltrates the data and encrypts networks. ShadowSpear® would identify the threats before they ever have the chance to sift through your organization’s data. As you can see, corporations of any size are at risk of being targeted. Fortunately, ShadowSpear® is versatile enough to be integrated into any size business in any industry.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US-based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you are experiencing a breach, please call our Security Operations Center at 833.997.7327.


Connect With Us

Featured Articles

Cybersecurity Health Checks
Cybersecurity Health Checks: Why Companies Need Them
22 April 2024
New Loop DoS Attack
New Loop DoS Attack Affecting Linux Systems
19 April 2024
Possible Cyberattack
Possible Cyberattack During 2024 Summer Olympics
15 April 2024
Tabletop Exercises
Tabletop Exercises: Transformative Impact on Companies
12 April 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.