By Paul Pajares (Senior Threat Researcher, Automotive)
VicOne’s threat landscape monitoring identified numerous ransomware attacks on automotive industry organizations based on sources including external reports and dedicated leak sites. From 2021 to the first half of 2024, there was a significant increase in ransomware attacks, with a considerable spike in 2023. This indicates a growing issue and ongoing attacks that could have important repercussions and implications for the automotive industry.
The ransomware landscape in the automotive supply chain
The automotive supply chain encompasses business operations under information technology (IT) and operation technology (OT). The primary distinction between the two lies in the fact that cybercriminals typically target IT platforms, exploiting weaknesses through phishing attempts, software vulnerabilities, and misconfigurations. IT focuses on the organization’s front-end informational systems, while OT operates independently, maintains segregation, and uses proprietary software, posing a significant challenge to attackers. But although OT focuses on back-end production or machines, a ransomware attack’s consequences can affect both IT and OT, potentially causing business disruption and further repercussions.
This growing threat is reflected in the scale of ransomware damage reported across the industry. VicOne’s calculation of ransomware damage over the indicated time frame, from 2021 to the first half of 2024, estimates it at US$920 billion for over 400 companies in the automotive industry.
The top three ransomware families in 2023 were notorious ones: Lockbit 3.0 (13.8%), BlackCat/ALPHV (9.4%), and Cl0p (4.8%). Lockbit 3.0 led to numerous victims, until 2024, when law enforcement significantly disrupted its operations through Operation Cronos. The Russian-speaking ransomware group BlackCat/ALPHV, known for using advanced extortion methods, had a significant impact in the US. Cl0p accelerated its operations by using a vulnerability in the transfer software MOVEit, resulting in thousands of victims, including those in the automotive industry.
Figure 1. The top ransomware families that reportedly hit automotive companies from 2021 to the first half of 2024
The sudden surge of ransomware in 2023 exemplifies how cybercriminals’ aggressiveness and opportunistic nature impact the automotive industry. Suppliers and third-party providers continued to be the primary targets of ransomware in the automotive supply chain, a trend that persists yearly as the number of dealers rises. This is likely because third-party providers run primarily on IT systems that can be vulnerable to common initial attack vectors such as social engineering, phishing, remote access, and software exploitation.
Figure 2. The number of automotive companies reportedly hit by ransomware attacks from 2021 to the first half of 2024, distributed by supply chain entity
In January 2024, the automotive industry saw three nearly consecutive ransomware attacks in Germany, the US, and Mexico from the BlackBasta, Cactus, and Lockbit ransomware groups, respectively. The next big attack happened in June, in one of the most significant ransomware attacks lobbied against the automotive industry. The ransomware group BlackSuit targeted a US-based multinational enterprise, affecting more than 15,000 car dealers in North America.
Figure 3. The distribution by location of the headquarters of automotive companies reportedly hit by ransomware attacks from 2021 to the first half of 2024
Understanding the impact of ransomware on the automotive industry
The following are some of the common implications of ransomware incidents in the automotive industry, citing noteworthy events.
Halts in business operations or IT outages
Among ransomware’s severe effects are halting business operations and crippling IT systems. The Qilin ransomware gang, for example, accomplish just that when it hit a Chinese automotive company that supplied interior components and cockpit electronics solutions. Its effect extended to a multinational automotive manufacturing company that was unable to assemble some vehicles and consequently filed a lawsuit for US$26 million.
One of the biggest automotive suppliers to a prominent car OEM in Japan experienced a cyberattack with a threatening message, which resulted in the OEM shutting down 14 plants. This affected the production of thousands of vehicles, exemplifying how ransomware could have a critical impact on downstream productivity.
Business disruptions are common when ransomware persists, although they depend on the organization’s cyber resilience and recovery mechanisms. Rook’s attack on a Japanese automotive company affected 12 computers in Mexican plants, among other incidents. The subsidiary of a Japanese vehicle hose maker in the US had to switch to manual production and shipping to maintain the flow of auto parts to customers; the ransomware was unknown. An EV battery supplier company halted five main plants across Germany, Romania, and Indonesia due to a suspected ransomware attack.
Exfiltration of terabytes of data
There were approximately 20 companies from which hackers claimed to have exfiltrated at least a terabyte of data from 2021 to the first half of 2024. The most commonly stolen data include staff information; R&D files for the smart cockpit, intelligent driving, and mobility, and other engineering files; CRM logs and customer information; and even data on car system features like drive control and sensors. The movement of terabytes of data indicates unusual download behavior in network monitoring, a preventive measure for attacks. For context, the highest recorded size of exfiltration was from an attack from LockBit 3.0 where the group stole 40 TB of data. This is followed by Snatch with 20 TB of exfiltrated data from a Chinese automotive top-tier supplier of car systems. The size of exfiltrated data usually ranges from 1 TB to 4 TB. But in one instance, an attacker claimed to have stolen 5 TB of data from a US automotive company, including engineering data and information on high-tech electronic products for automotive use.
Breach of customer or employee data
Companies that experience cyberattacks must notify customers about the breaches and update them on the situation, whether they are impacted or not.
According to reports, the notorious Akira ransomware group hit a subsidiary of a Japanese OEM car maker in the Oceania region. The company notified approximately 10,000 customers about the incident and provided free access to IDCARE, an identity and cybercrime support service, as a support measure for potentially affected customers, which included free credit monitoring, reimbursement for government ID renewal, and a dedicated call center for cyber-related inquiries.
The nefarious Conti ransomware reportedly affected a car diagnostic tool supplier in the US, which acknowledged the breach and notified customers about the possible types of data exfiltrated: associate and franchisee data with Social Security numbers, dates of birth, and employee identification numbers. Similarly, the company provided a free one-year subscription to IDX, an identity theft protection service, to victims free of charge to monitor credit and detect fraud.
Data breaches put customer data at risk, which is why companies must take necessary action to prevent and minimize leaks. For example, a cyberattack on a third-party automotive software provider also affected various dealerships and automotive partners. The company then escalated a restraining order in high court to prevent anyone from sharing client information that might be published online and performed necessary actions such as hardening and improving the security of its systems.
The BlackCat ransomware group allegedly targeted an automotive supplier and exfiltrated data on 25,000 employees. The company notified its employees about the potential exfiltration of personal data and banking information, which cybercriminals could use to facilitate fraudulent schemes such as applying for loans and credit cards, or worse, trading and selling it in the underground market.
Demand for million-dollar ransoms
The largest ransomware syndicates demand huge amounts of money, particularly from high-revenue companies. Listed below are real-world cases and the corresponding ransom demands:
- The Medusa ransomware group gave an ultimatum of 10 days for a car OEM to pay US$8 million in exchange for the stolen and encrypted files.
- Cybercriminals claimed to have stolen internal data and demanded US$2.25 million from a Chinese automaker.
- The DoppelPaymer ransomware group demanded US$20 million from an automaker in the US.
- LockBit 3.0 operators demanded US$60 million from a luxurious car dealer group in the UK that served more than 200 entities.
- The Lockbit 3.0 group reportedly exfiltrated 40 TB of data, speculated to include information pertaining to supervisory board meetings of a German tire and car parts company. This data had been reportedly put up for sale for US$50 million in the underground market.
Possibility of multi-ransomware attacks
Another primary concern brought by ransomware attacks is the underground activities that come with them. These activities enable threat actors to exchange information about software vulnerabilities and stolen credentials, or worse, spread further ransomware.
Cybercriminals target multinational companies because of the high value of their stolen data when it comes to trading and selling in the underground. For instance, a series of ransomware attacks from various operators, including Conti and Mount Locker, reportedly hit a German automotive supplier. These attacks triggered unauthorized access to the IT infrastructure, affecting the manufacturing division and bringing plant operations to a standstill.
Legal actions due to breaches
When customer data breaches or business disruptions occur, the consequences can easily lead to lawsuits. An example of this was when the Play ransomware group launched an attack on an automotive dealer in the UK, which involved the exfiltration of sensitive data. Aside from the operational consequences of a ransomware attack — such as internet suspension, challenges to performing tasks, and third parties and dealers having to find workarounds — the company also had to contend with a group action lawsuit from customers who experienced fraud attempts on their email accounts as a result of their information being leaked.
Fraud attempts
The aftereffects of a data breach can expose customers to fraud attempts due to the theft of PII. For example, the customers of the same UK-based automotive firm discussed earlier experienced increased levels of fraud, which led them to take legal action. More recently, an alleged ransomware attack on an automotive dealership software provider led to phishing attacks in which scammers posed as representatives of the company, offering assistance during an IT outage caused by the attack.
Loss of cyber insurance
Insurance might not always be an effective cost-recovery solution, but it can cover some costs. A multinational automotive distributor was reportedly hit by RansomEXX and faced a crisis in cyber insurance, with policies being discarded because of the victim’s decision to pursue immediate remediation, such as forensics and recovery, to contain the situation. The trial concluded with an unrecoverable insurance policy, underscoring the importance of clearly defining and agreeing on insurance coverage and policies.
Putting the brakes on ransomware in the automotive industry
Understanding the specific repercussions that a company might face from ransomware attacks is crucial. While the worst part is the potential domino effect, almost all repercussions have the potential to put the business at risk, and recovery might take some time. For example, in the case of the recent alleged ransomware attack on third-party vehicle providers, it took weeks for operations to fully return to normal for all customers, resulting in daily financial losses as these customers relied on the affected third-party software to continue their business.
It is imperative to put all security measures in place, adopt a zero-trust model approach, have ransomware back-ups and recovery plans, manage single points of failure, invest in cybersecurity for detecting and preventing cyberattacks, and conduct security exercises to prepare organizations for ransomware events.
The interconnectedness of the modern car has led to an elevation of automotive cybersecurity beyond the traditional IT systems. The road to vehicle-to-everything (V2X) presents the next potential target for ransomware attacks, which could further escalate the repercussions and impact, particularly on vehicles in operation. In this context, solutions emphasizing on-board traffic monitoring, effective management of vulnerabilities, and robust security for cloud services, APIs, and endpoints become increasingly vital.
