RansomHub Ransomware Attack on Kawasaki Motors Europe

In early September, Kawasaki Motors Europe (KME), a division of Kawasaki Heavy Industries, fell victim to a ransomware attack orchestrated by the RansomHub ransomware group. This incident has raised significant concerns within the cybersecurity community, given Kawasaki's prominent position in the manufacturing sector.

Company Overview

Kawasaki Motors Europe specializes in the design, manufacture, and sale of motorcycles, all-terrain vehicles (ATVs), and personal watercraft. The company operates primarily in the European market, offering a diverse range of motorcycles that cater to various riding styles and preferences. Kawasaki's product lineup includes hypersport, supersport, supernaked, adventure tourer, classic, modern classic, and electric vehicles. The company is known for its innovation and technology, incorporating features like the Kawasaki Cornering Management Function (KCMF) and the Kawasaki Intelligent anti-lock Brake System (KIBS) to enhance rider safety and performance.

Attack Overview

The ransomware attack on KME was attributed to the RansomHub ransomware gang, which claimed responsibility on September 5. The group alleged the theft of 487 GB of data from KME's network and threatened to publish the data if their demands were not met. The attack caused temporary disruptions, prompting KME to isolate its servers to prevent further damage. The company collaborated with external cybersecurity experts to clean and restore its systems, achieving over 90% server functionality within a week. Despite the breach, Kawasaki reported that business operations, including those with dealerships, suppliers, and logistics, were unaffected.

RansomHub Ransomware Group

RansomHub, a Ransomware-as-a-Service (RaaS) group, emerged in February 2024. The group quickly gained notoriety by adopting a highly adaptable and aggressive affiliate model. RansomHub is known for its speed and efficiency, with ransomware optimized to encrypt large datasets quickly while targeting a wide range of cross-platform systems. The group employs double extortion tactics, combining encryption with data theft to increase pressure on victims to pay ransoms. RansomHub's affiliates primarily use phishing campaigns, vulnerability exploitation, and password spraying to gain initial access to target systems.

Penetration and Vulnerabilities

RansomHub's affiliates likely penetrated KME's systems through a combination of phishing campaigns and exploiting unpatched vulnerabilities. The group's methodology includes network reconnaissance, privilege escalation, and data exfiltration before encrypting files. RansomHub's ransomware uses Curve 25519 elliptic curve encryption to generate unique keys per victim, making it difficult for organizations to decrypt files without paying the ransom. The attack on KME highlights the vulnerabilities that large enterprises with valuable data and critical operations face, particularly in sectors like manufacturing.

Sources

• Kawasaki Motors Europe
• Company Information
• Dun & Bradstreet
• Creditsafe
• RocketReach