• Automotive E/E
  • Our Resources
  • Blog
  • When an Automotive Ransomware Attack Strikes the Fleet

When an Automotive Ransomware Attack Strikes the Fleet

April 29, 2018

Malware could just as easily target a connected vehicle as a smartphone or a computer. There are numerous ways for the enterprising hacker to compromise entire fleets of cars and trucks using vehicle hacking.

A cyber attacker could pepper a vehicle-owner community with socially engineered emails about seemingly legitimate software updates. But instead of upgrading their cars with the latest software fixes, eager recipients could be tricked into clicking on dangerous attachments or links to malicious Web sites. Malware could be embedded in a seemingly innocent vehicle software update file and transferred to the car unknowingly by its owner via USB drive. With more investment, attackers could mail infected USB drives directly to car owners. Even the dealership or maintenance center could be invaded and turned into ransomware proliferator. According to the FBI, ““Third party aftermarket devices with Internet or cellular access plugged into diagnostics ports could also introduce wireless vulnerabilities.”

The possibilities for vehicle ransomware mayhem seem endless.

Fleet Ransomware Scenario

Here is a scenario that could become the nightmare of an automotive manufacturer or fleet owner.

The Automotive Cyber Security Incident Response Team, CSIRT, was roused from their offices at 4pm just moments after two simultaneous events occurred. The first was the company’s Security Operations Center (SOC) alarms going off, indicating that a serious cyber attack on some significant part of the 2018 car fleet was in progress. The second, even more distressing and harder to deal with, was the cascade of hysterical calls from individual car owners and drivers who were frantically reporting that their vehicles had suddenly, and without warning, ceased to operate, sometimes in dangerous circumstances.

The Automotive CSIRT had been carefully assembled with heavy-hitters of cybersecurity. They were painstakingly coached for this very situation. Months of highly specialized training went into learning the details about connected-car technology replete with countless drills on every scenario that can be imagined. But like a squad of Navy Seals, you don’t know how good you are until you confront the real thing—in this case, an advanced cyber attack conducted by international hacking experts. The challenge was on.

The four cyber defense specialists of the CSIRT rushed to the SOC to confront the attack that strikes terror in the hearts of every IT department and auto manufacturer: ransomware.

Already, the real-time maps on rows of screens in the SOC were lighting up locations where affected cars were now unable to move, probably exceeding one hundred by now with more reports coming in.

The customer support lines were inundated with irate customers complaining about the vehicle’s RSOD—"red screen of death”, in cyber security parlance—that had suddenly popped up on their dashboard screens: “Your car has been taken over by the Dark Vehicle Gang. Pay us if you want to drive.”

Quote: 'Your car has been taken over by a ransomware attack on cars by the Dark Vehicle Gang'

The Nature of A Ransomware Attack on Cars

The specialists of the CSIRT were well trained in the anatomy of a ransomware attack on cars and other vehicles:

  1. The hackers, (Dark Vehicle Gang, in this case) obtain a few target cars to practice on. This could occur anywhere, even in another country.
  2. They create some sort of primary malware that will infiltrate the cars.
  3. They create the means to deliver the primary malware to the cars either via some sort of physical connection like a USB or over the air. In this case, due to the large number of affected cars, the malware was either delivered over the air or in the delivery chain from where it laid dormant until a specific date or command was received.
  4. Either the primary malware itself or a secondary malware that it has invited attacks the target ECU and causes it to mal-perform or to shut down as in this case.
  5. The malware may create a connection back to the hackers’ command-and-control center to report its success. In our scenario, that wouldn’t be necessary since a large-scale attack of this kind would be sure to make the news reports on radio, television and newspapers and, of course, across numerous internet news sources. The hackers would surely find out about the progress of their attack in real-time.
  6. The ransomware displays an extortion message on the dashboard screens of the infected cars.
  7. If/when the ransom is paid, usually in untraceable cryptocurrency, the hackers re-contact their vehicle-infecting malware to execute an unlocking command, erasing all traces of their presence and activity. That is, if the hackers are "honest". Sometimes, they just take the cryptocurrency and run. If they are in a remote country that protects them from retribution, they just stay there and live like kings. 

Incident Response

From four workstations each with two large screens, the CSIRT team fired up their bag of incident response software tools. The team knew what they were looking for:

  • WHO was perpetrating this attack?
  • WHAT was the bricking action that was making the cars inoperable?
  • WHERE in the car was the exploit manifest?
  • WHEN did the exploit enter the cars?
  • HOW did the malware spread to the infected system?
  • HOW MANY cars are infected?

The Board of Directors and Senior Management of the company were now on the scene. They impatiently probed, “What do we know so far?” and delivered the bottom-line questions, “If we pay the ransom, do we get those cars back and how long does it take?”

Rapid Remediation

The CSIRT specialists connected to two of the infected cars over the air to collect evidence. They quickly established that the ignition-control ECU was the target and had been incapacitated. After bringing back a memory dump and comparing it with a normal version, they determined that malware was there. By replacing the infected image with a clean one via a firmware-over-the-air (FOTA) update and rebooting the ECU, they could eliminate the malware and re-set ECU to proper operation.

The CSIRT specialists called the driver of one of the infected cars on her mobile phone and informed her of what they were about to do. She was only too happy to cooperate. They sent the FOTA update that quickly repaired the ECU.

“Madame, please try to start your car now.”

A turn of the key and the car jumped back to life. The scream of joy was all the CSIRT heroes had to hear to know that they had won the battle and that the company had dodged the bullet this time.

Now, the painstaking effort of repeating these remediation steps on a hundred or more cars could take place. The CSIRT team showed the two-dozen SOC analysts on-shift how to do it. If each one could perform the remediation within 5 minutes on each of 5 cars, all the infected cars could be brought back to life within 30 minutes.

No doubt, other drivers would be reporting the attack in the hours and days ahead. (Maybe they weren’t driving today.) The SOC analysts would immediately apply the remediation upon receipt of any new report as they've successfully proven themselves as automotive defense specialists.


Case closed. The company lucked out. They got all the cars back on the road in short order and didn’t have to pay the ransom. But the labors of the CSIRT were hardly over. In fact, the hard work had just begun. Now, they had to answer the big questions after 'dissecting' the anatomy of the ransomware attack:

  • Who did this? (Probably a question for the police or FBI.)
  • What was the means by which the attack was delivered to the cars? (Bluetooth, WiFi, Cellular, USB…)
  • How did the ransomware attack on the cars bypass our cyber security mechanisms? (Let’s fix it and share what we learn here with all car manufacturers as we expect them to share with us. We are all in this together.)
  • How long was the exploit resident in the cars before it attacked?

And the biggest one:

  • What should we do to make sure this doesn’t happen again?

GuardKnox Cybersecurity Advantage

If this OEM had deployed GuardKnox technology, then any improper command to an ECU controlling the ignition switch, instructing it to shut off at a time when the ECU should not enter that state, would have been ignored and reported. The ransomware would not have put the fleet at risk.

GuardKnox’s patented Communication Lockdown™ Methodology, delivers fighter jet cyber protection to connected vehicles. Communication Lockdown™ does not allow any command to take an ECU out of a legitimate state. Despite the greatest efforts of hackers to develop highly sophisticated ransomware attacks, the GuardKnox solution locks them out.

Talk to us to learn more.

The cyber security threat landscape for automotive market and connected vehicles cyber defense

Lets’s Talk