Honda

Just when you thought it was safe to go back online.

Honda Motor Company was forced to halt vehicle production this week after finding WannaCry ransomware in its plant computer network, while the virus is reportedly targeting traffic cameras in Australia.


Honda's Sayama Plant in northwest Tokyo has a daily output of roughly 1,000 vehicles, ranging from Accord to Odyssey models, but was closed down on Monday after the ransomware was discovered on Sunday 18 June. While production has today continued, the data breach continues to prove the lasting effects of WannaCry.

A spokesperson told Reuters the virus had affected networks across Japan, North America, Europe, China and other regions, despite efforts to secure its systems in mid-May when the virus caused widespread.

Read next A startup for NHS beds shows the dangers of following Silicon Valley A startup for NHS beds shows the dangers of following Silicon Valley

The WannaCry virus appeared to have found a weakness in the Sayama plants operational systems, which were running Microsoft’s Windows 10 operating system, using a backdoor to enter and usurp systems. Currently, it seems the Sayama plant is the only Honda production facility to be affected. Security experts have warned after the May attack that other iterations of the worm could soon start affecting systems. Renault and Nissan have similarly been affected by WannaCry last month, causing a halt to production at plants in France, India, Britain and other countries.

The incidents in Australia, confirmed by Victoria Police, claim the virus is also wreaking havoc on 55 traffic cameras and speed cameras which are operated by third-party Redflex.


"Our advice at this stage is that a software virus has been detected however the camera system has not been compromised," the police said in a statement. "We will look into all incidents detected by the speed and red light cameras during the time in question as a matter of course. The integrity of the camera system has not been affected."

Getty Images / DANIEL LEAL-OLIVAS / Stringer

WIRED spoke to Lee Munson, security researcher for comparitech.com about the Honda cyberattack: "The fact that an organisation the size of Honda has been hit with a ransomware attack is not as surprising as some may think - along with phishing it is among the most common threats - but the fact it is WannaCry is surprising indeed.

Read next Friday briefing: Poor NHS cybersecurity blamed for impact of WannaCry ransomware Friday briefing: Poor NHS cybersecurity blamed for impact of WannaCry ransomware

"A month after the attack died out, especially after the original kill switch came to light, everyone thought it was dead and buried, so how did Honda become infected in the first place?


"It sounds to me as though an external storage device may have been introduced to Honda's network which begs as many questions as to why the company had not immunised itself by deploying the latest operating system patches, all the way back to Windows XP."

"Whatever the answer," Munson continued, "this security breakdown will no doubt prove extremely costly to a manufacturer likely to be feeling highly embarrassed over this incident."

Wanna Decryptor ransomware appears to be spawning and this time it may not have a kill switch Ransomware Wanna Decryptor ransomware appears to be spawning and this time it may not have a kill switch

Security officials in the UK have claimed the WannaCry ransomware has links to a hacking group that's associated with North Korea. According to a recent report by the BBC, security officials believe that the Lazarus group launched the attack.

Read next The NHS is going to trial a gig economy app for nurses The NHS is going to trial a gig economy app for nurses

The group has strong links to North Korea, although it is not known who the leadership behind Lazarus is. It is not the first time the hacking organisation has been connected to the ransomware that significantly impacted the NHS.

Symantec says it is "confident" the WannaCry ransomware is connected to the Lazarus cybercrime organisation, said to be responsible for the Sony Pictures hack and the theft of millions of dollar from the Bangladesh Central Bank, and has links to North Korea.

"Analysis of these early WannaCry attacks by Symantec’s Security Response Team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry," the company said in a blog post. In particular, Symantec tied the ransomware to the hacking group through a number of similar pieces of code contained within it that were used by the group in the Sony Pictures hack and elsewhere. These include:

Three pieces of malware linked to Lazarus found on the victim’s network: Trojan.Volgmer and two variants of Backdoor.Destover, the disk-wiping tool used in the Sony Pictures attacks.

Trojan.Alphanc, which was used to spread WannaCry in the March and April attacks, is a modified version of Backdoor.Duuzer, previously linked to Lazarus.

Trojan.Bravonc used the same IP addresses for command and control as Backdoor.Duuzer and Backdoor.Destover, both of which have been linked to Lazarus.

Backdoor.Bravonc has similar code obfuscation as WannaCry and Infostealer.Fakepude, also linked to Lazarus.

There is shared code between WannaCry and Backdoor.Contopee, which has previously been linked to Lazarus.

Previously, security experts scanned the email networks of those NHS trusts affected and found no evidence the Wanna Decryptor, or WannaCry ransomware, came from staff inadvertently clicking on a dodgy link in an email. The researchers from various security firms including Proofpoint, IBM, and Symantec said they found other phishing emails, not tied to WannaCry, but couldn't determine an email link to the widespread attack.

Proofpoint, which helped stop the spread of the virus, said it was "unlikely" the outbreak was caused by phishing, and Symantec's Candid Wüest believes it was spread through the Windows Server Message Block SMB protocol. This system is used to share files between computers typically on closed networks. If this system is opened to a public network, it can be exploited and once a worm successfully penetrates a network, it can then spread from computer to computer easily. Plus, it would only take one computer to go online for the worm to access the network.

Read next After WannaCry, the government must focus on local NHS security After WannaCry, the government must focus on local NHS security

Subscribe to WIRED

Russia was linked to the attack, but Vladimir Putin denied his country's involvement, blaming the US for creating the hacking software that could exploit the flaw in Microsoft's system instead. "Malware created by intelligence agencies can backfire on its creators," said Putin, speaking at a conference in China before adding that leaders needed to discuss cybersecurity at a "serious political level".

The NHS computer hack is said to have “crept” across the UK earlier this month with reports of the ransomware attack hitting a range of organisations in as many as 99 countries. It then appeared to start slowing down after a security researcher said he "accidentally" hit the kill switch on the ransomware.

Writing on the blog @malwaretechblog, Marcus Hutchins registered a domain name used by Wanna Decryptor, or WannaCrypt, and inadvertently killed it. The National

Cyber Security Centre (NCSC) repurposed the blog to spread the message. This was followed by a further statement from the NCSC on Sunday which warned that as a new working week begins it is likely, in the UK and elsewhere, that further cases of ransomware "may come to light, possibly at a significant scale."

Hackers use ransomware to infect a computer or system before holding files hostage until a ransom is paid. It can infect a computer via a trojan, virus or worm. Wanna Decryptor encrypts users files using AES and RSA encryption ciphers meaning the hackers can directly decrypt system files using a unique decryption key. Victims may be sent ransom notes with “instructions” in the form of !Please Read Me!.txt files, linking to ways of contacting the cybercriminals. Wanna Decryptor changes the computer's wallpaper with messages (as seen in tweets from affected NHS sites) asking the victim to download a decryptor from Dropbox. This decryptor demands hundreds in bitcoin to work.

- Want to know more? Read our in-depth piece: "What is Wanna Decryptor?"

Defence secretary Michael Fallon claimed the NHS was "warned" on multiple occasions.


In May 2015, the UK government stopped paying Microsoft for extended Windows XP support. At the time, the deal to get patches for the outdated operating system would have cost £5.5 million. Stopping support for XP and the potential vulnerabilities it would create were well-known to NHS cybersecurity staff and also officials who oversee the services provided. More recently, security analysts said Windows 7 was impacted by the malware more than Windows XP.

This story has been updated to reflect developments relating to the ransomware