[The following is NIKKEI Business Daily’s interview on cyberattacks with Takashi Yoshikawa, a senior malware analyst at Mitsui Bussan Secure Directions, Inc.]
Question: A major cyberattack hit Honda Motor and forced the company to halt output at some plants in June.
Takashi Yoshikawa: It appears that “ransomware,” in which attackers ask for monetary deals in exchange for decrypting victim’s files they have encrypted, was used in the cyberattack against Honda. Immediately after Honda first confirmed damage, I analyzed the virus uploaded on a website used by IT (information technology) engineers and found multiple functions that suggested the latest trend [of cyberattacks].
The biggest characteristic of the virus was that it only works within Honda’s corporate networks. The virus causes no harm to other companies, so it is difficult for external security engineers to detect it beforehand. The virus appears to have invaded Honda and refrained any activity until it reached the central server and then quickly spread to the entire company.
Q: Why does ransomware encrypt files?
Yoshikawa: Its main purpose is to demand ransom money, but a new method is also emerging. Sometimes attackers steal classified corporate information and encrypt files with ransomware to eliminate the traces of the attack. When I analyzed the ransomware used in the attack against Honda, I found no functions to steal information. It seems the number of attackers who use [ransomware] to destroy computer systems is increasing.
Q: What kinds of people turn to cyberattacks?
Yoshikawa: Recently, more and more cyberattacks are combining multiple malware (a general term for malicious software). That is expediting a division of labor among attackers, which is a characteristic [of recent cyberattacks]. There are virus creators, brokers who buy and sell information, and crime groups that actually carry out [cyberattacks]. It is often the case that multiple groups share the same virus.
The virus itself is getting cheaper. Sometimes you can buy malware designed to invade computers for just 10 dollars on the online black market. We are also seeing multiple providers of a service called “Ransomware as a service (RaaS),” which even automatically collects ransom money. Some people also provide technical support via a chat system, which facilitates cyberattacks.
Q: Is the number of actual cases of damage increasing?
Yoshikawa: Startups that have clinical trial data and pharmaceutical companies around the globe have been targeted since March due to the new coronavirus pandemic. In many of these cases, clinical trial data and patient information were stolen before files were encrypted by ransomware. Some groups of attackers issued a statement that says, “Medical institutions will be removed from the list of cyberattack targets.” But they have not been removed and the damage seems to be continuing.
There are concerns that there will be another major cyberattack on supply chains, like the one that hit Ukraine in 2017 in which an accounting software developer that controls 80% of the domestic market was attacked and a virus was disseminated under the guise of a software update.
Now various IT infrastructure services are used and companies are increasingly connected to one other. That raises the probability of companies with weak defenses being targeted and viruses quickly spreading from there.
(Interview conducted by Manami Ogawa)