On Monday, Honda was forced to temporarily shut down its car plant in Sayama, Japan, after some of its computer systems were infected with the infamous WannaCry ransomware, reported Reuters today.
The entire incident is particularly strange and worrisome. It is strange because the original WannaCry ransomware version that was deployed in the mid-May attacks has been stopped from making new victims after a security researcher registered a domain that prevented new infections.
This means that someone at Honda blocked access to the killswitch domain, allowing the infection to spread, or … it means there’s a new version of WannaCry going around that doesn’t feature a killswitch domain.
The latter theory has not been confirmed, as Honda released only a few details about the infection via Reuters reporters. Cyber-security experts specialized in ransomware infections have not reported seeing new WannaCry versions.
A possible theory
A theory proposed by several security researchers, including MalwareTech, the security researcher who registered the killswitch domain, is that some Honda employee brought a device infected with a neutered WannaCry ransomware into one of Honda’s offline networks.
Once the device was taken offline and connected to this network, the WannaCry ransomware worm, which comes to back at regular intervals, spread the ransomware to new PCs, which, because they were offline and couldn’t reach the killswitch domain, started infected factory computers.
Another theory is that Honda was using proxies to manage internal traffic. Since WannaCry doesn’t support proxy connections, it couldn’t reach the killswitch domains and followed suite on its normal routine of encrypting user data.
Furthermore, MalwareTech says he still sees around 200,000 daily hits on the WannaCry killswitch domain, meaning the ransomware infects new PCs on a daily basis but does not encrypt their files.
This still happens because many users and organizations have failed to apply the MS17-010 security bulletin, which mitigates the SMB flaw WannaCry uses to infect computers.
When WannaCry hit in mid-May, fellow carmakers Nissan and Renault were also affected and had to shut down car plants in countries such as France, India, Japan, Romania, and the UK.