{
	"id": "e26f2fb7-9cff-4f00-bbda-81ed312aad9c",
	"created_at": "2026-04-06T00:22:36.539702Z",
	"updated_at": "2026-04-10T03:20:34.715866Z",
	"deleted_at": null,
	"sha1_hash": "2a75b7ed663c942bbca1250227eda4413175e369",
	"title": "Honda and Enel impacted by cyber attack suspected to be ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 423187,
	"plain_text": "Honda and Enel impacted by cyber attack suspected to be\r\nransomware\r\nPublished: 2020-06-08 · Archived: 2026-04-05 18:21:20 UTC\r\nCar manufacturer Honda has been hit by a cyber attack, according to a report published by the BBC, and later\r\nconfirmed by the company in a tweet. Another similar attack, also disclosed on Twitter, hit Edesur S.A., one of the\r\ncompanies belonging to Enel Argentina which operates in the business of energy distribution in the City of Buenos\r\nAires.\r\nBased on samples posted online, these incidents may be tied to the EKANS/SNAKE ransomware family. In this\r\nblog post, we review what is known about this ransomware strain and what we have been able to analyze so far.\r\nTargeted ransomware with a liking for ICS\r\nFirst public mentions of EKANS ransomware date back to January 2020, with security researcher Vitali Kremez\r\nsharing information about a new targeted ransomware written in GOLANG.\r\nThe group appears to have a special interest for Industrial Control Systems (ICS), as detailed in this blog post by\r\nsecurity firm Dragos.\r\nOn June 8, a researcher shared samples of ransomware that supposedly was aimed at Honda and ENEL INT.\r\nWhen we started looking at the code, we found several artefacts that corroborate this possibility.\r\nArticle continues below this ad.\r\nWhen the malware executes, it will try to resolve to a hardcoded hostname (mds.honda.com). If, and only if it\r\ndoes, will the file encryption begin. The same logic, with a specific hostname, also applied to the ransomware\r\nallegedly tied to Enel.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nPage 1 of 18\n\nTarget: Honda\r\nResolving internal domain: mds.honda.com\r\nRansom e-mail: CarrolBidell@tutanota[.]com\r\nTarget: Enel\r\nResolving internal domain: enelint.global\r\nRansom e-mail: CarrolBidell@tutanota[.]com\r\nRDP as a possible attack vector\r\nBoth companies had some machines with Remote Desktop Protocol (RDP) access publicly exposed (reference\r\nhere). RDP attacks are one of the main entry points when it comes to targeted ransomware opertaions.\r\nRDP Exposed: /AGL632956.jpn.mds.honda.com\r\nRDP Exposed: /IT000001429258.enelint.global\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nPage 2 of 18\n\nHowever, we cannot say conclusively that this is how threat actors may have gotten in. Ultimately, only a proper\r\ninternal investigation will be able to determine exactly how the attackers were able to compromise the affected\r\nnetworks.\r\nDetection\r\nWe tested the ransomware samples publicly available in our lab by creating a fake internal server that would\r\nrespond to the DNS query made by the malware code with the same IP address it expected. We then ran the\r\nsample alleged to be tied to Honda against Malwarebytes Nebula, our cloud-based endpoint protection for\r\nbusinesses.\r\nWe detect this payload as ‘Ransom.Ekans’ when it attempts to execute. In order to test another of our protection\r\nlayers, we also disabled (not recommended) the malware protection to let the behavior engine do its thing. Our\r\nanti-ransomware technology was able to quarantine the malicious file without the use of any signature.\r\nRansomware gangs have shown no mercy, even in this period of dealing with a pandemic. They continue to target\r\nbig companies in order to extort large sums of money.\r\nRDP has been called out as some of the lowest hanging fruit preferred by attackers. However, we also recently\r\nlearned about a new SMB vulnerability allowing remote execution. It is important for defenders to properly map\r\nout all assets, patch them, and never allow them to be publicly exposed.\r\nWe will update this blog post if we come across new relevant information.\r\nIndicators of Compromise (IOCs)\r\nHonda related sample:\r\nd4da69e424241c291c173c8b3756639c654432706e7def5025a649730868c4a1 mds.honda.com\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nPage 3 of 18\n\nEnel related sample:\r\nedef8b955468236c6323e9019abb10c324c27b4f5667bc3f85f3a097b2e5159a\r\nenelint.global\r\nOn June 8, a researcher shared samples of ransomware that supposedly was aimed at Honda and ENEL INT.\r\nWhen we started looking at the code, we found several artefacts that corroborate this possibility.\r\nWhen the malware executes, it will try to resolve to a hardcoded hostname (mds.honda.com). If, and only if it\r\ndoes, will the file encryption begin. The same logic, with a specific hostname, also applied to the ransomware\r\nallegedly tied to Enel.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nPage 4 of 18\n\nTarget: Honda\r\nResolving internal domain: mds.honda.com\r\nRansom e-mail: CarrolBidell@tutanota[.]com\r\nTarget: Enel\r\nResolving internal domain: enelint.global\r\nRansom e-mail: CarrolBidell@tutanota[.]com\r\nRDP as a possible attack vector\r\nBoth companies had some machines with Remote Desktop Protocol (RDP) access publicly exposed (reference\r\nhere). RDP attacks are one of the main entry points when it comes to targeted ransomware opertaions.\r\nRDP Exposed: /AGL632956.jpn.mds.honda.com\r\nRDP Exposed: /IT000001429258.enelint.global\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nPage 5 of 18\n\nHowever, we cannot say conclusively that this is how threat actors may have gotten in. Ultimately, only a proper\r\ninternal investigation will be able to determine exactly how the attackers were able to compromise the affected\r\nnetworks.\r\nDetection\r\nWe tested the ransomware samples publicly available in our lab by creating a fake internal server that would\r\nrespond to the DNS query made by the malware code with the same IP address it expected. We then ran the\r\nsample alleged to be tied to Honda against Malwarebytes Nebula, our cloud-based endpoint protection for\r\nbusinesses.\r\nWe detect this payload as ‘Ransom.Ekans’ when it attempts to execute. In order to test another of our protection\r\nlayers, we also disabled (not recommended) the malware protection to let the behavior engine do its thing. Our\r\nanti-ransomware technology was able to quarantine the malicious file without the use of any signature.\r\nRansomware gangs have shown no mercy, even in this period of dealing with a pandemic. They continue to target\r\nbig companies in order to extort large sums of money.\r\nRDP has been called out as some of the lowest hanging fruit preferred by attackers. However, we also recently\r\nlearned about a new SMB vulnerability allowing remote execution. It is important for defenders to properly map\r\nout all assets, patch them, and never allow them to be publicly exposed.\r\nWe will update this blog post if we come across new relevant information.\r\nIndicators of Compromise (IOCs)\r\nHonda related sample:\r\nd4da69e424241c291c173c8b3756639c654432706e7def5025a649730868c4a1 mds.honda.com\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nPage 6 of 18\n\nEnel related sample:\r\nedef8b955468236c6323e9019abb10c324c27b4f5667bc3f85f3a097b2e5159a\r\nenelint.global\r\nCar manufacturer Honda has been hit by a cyber attack, according to a report published by the BBC, and later\r\nconfirmed by the company in a tweet. Another similar attack, also disclosed on Twitter, hit Edesur S.A., one of the\r\ncompanies belonging to Enel Argentina which operates in the business of energy distribution in the City of Buenos\r\nAires.\r\nBased on samples posted online, these incidents may be tied to the EKANS/SNAKE ransomware family. In this\r\nblog post, we review what is known about this ransomware strain and what we have been able to analyze so far.\r\nTargeted ransomware with a liking for ICS\r\nFirst public mentions of EKANS ransomware date back to January 2020, with security researcher Vitali Kremez\r\nsharing information about a new targeted ransomware written in GOLANG.\r\nThe group appears to have a special interest for Industrial Control Systems (ICS), as detailed in this blog post by\r\nsecurity firm Dragos.\r\nOn June 8, a researcher shared samples of ransomware that supposedly was aimed at Honda and ENEL INT.\r\nWhen we started looking at the code, we found several artefacts that corroborate this possibility.\r\nWhen the malware executes, it will try to resolve to a hardcoded hostname (mds.honda.com). If, and only if it\r\ndoes, will the file encryption begin. The same logic, with a specific hostname, also applied to the ransomware\r\nallegedly tied to Enel.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nPage 7 of 18\n\nTarget: Honda\r\nResolving internal domain: mds.honda.com\r\nRansom e-mail: CarrolBidell@tutanota[.]com\r\nTarget: Enel\r\nResolving internal domain: enelint.global\r\nRansom e-mail: CarrolBidell@tutanota[.]com\r\nRDP as a possible attack vector\r\nBoth companies had some machines with Remote Desktop Protocol (RDP) access publicly exposed (reference\r\nhere). RDP attacks are one of the main entry points when it comes to targeted ransomware opertaions.\r\nRDP Exposed: /AGL632956.jpn.mds.honda.com\r\nRDP Exposed: /IT000001429258.enelint.global\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nPage 8 of 18\n\nHowever, we cannot say conclusively that this is how threat actors may have gotten in. Ultimately, only a proper\r\ninternal investigation will be able to determine exactly how the attackers were able to compromise the affected\r\nnetworks.\r\nDetection\r\nWe tested the ransomware samples publicly available in our lab by creating a fake internal server that would\r\nrespond to the DNS query made by the malware code with the same IP address it expected. We then ran the\r\nsample alleged to be tied to Honda against Malwarebytes Nebula, our cloud-based endpoint protection for\r\nbusinesses.\r\nWe detect this payload as ‘Ransom.Ekans’ when it attempts to execute. In order to test another of our protection\r\nlayers, we also disabled (not recommended) the malware protection to let the behavior engine do its thing. Our\r\nanti-ransomware technology was able to quarantine the malicious file without the use of any signature.\r\nRansomware gangs have shown no mercy, even in this period of dealing with a pandemic. They continue to target\r\nbig companies in order to extort large sums of money.\r\nRDP has been called out as some of the lowest hanging fruit preferred by attackers. However, we also recently\r\nlearned about a new SMB vulnerability allowing remote execution. It is important for defenders to properly map\r\nout all assets, patch them, and never allow them to be publicly exposed.\r\nWe will update this blog post if we come across new relevant information.\r\nIndicators of Compromise (IOCs)\r\nHonda related sample:\r\nd4da69e424241c291c173c8b3756639c654432706e7def5025a649730868c4a1 mds.honda.com\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nPage 9 of 18\n\nEnel related sample:\r\nedef8b955468236c6323e9019abb10c324c27b4f5667bc3f85f3a097b2e5159a\r\nenelint.global\r\nTarget: Honda\r\nResolving internal domain: mds.honda.com\r\nRansom e-mail: CarrolBidell@tutanota[.]com\r\nTarget: Enel\r\nResolving internal domain: enelint.global\r\nRansom e-mail: CarrolBidell@tutanota[.]com\r\nRDP as a possible attack vector\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nPage 10 of 18\n\nBoth companies had some machines with Remote Desktop Protocol (RDP) access publicly exposed (reference\r\nhere). RDP attacks are one of the main entry points when it comes to targeted ransomware opertaions.\r\nRDP Exposed: /AGL632956.jpn.mds.honda.com\r\nRDP Exposed: /IT000001429258.enelint.global\r\nHowever, we cannot say conclusively that this is how threat actors may have gotten in. Ultimately, only a proper\r\ninternal investigation will be able to determine exactly how the attackers were able to compromise the affected\r\nnetworks.\r\nDetection\r\nWe tested the ransomware samples publicly available in our lab by creating a fake internal server that would\r\nrespond to the DNS query made by the malware code with the same IP address it expected. We then ran the\r\nsample alleged to be tied to Honda against Malwarebytes Nebula, our cloud-based endpoint protection for\r\nbusinesses.\r\nWe detect this payload as ‘Ransom.Ekans’ when it attempts to execute. In order to test another of our protection\r\nlayers, we also disabled (not recommended) the malware protection to let the behavior engine do its thing. Our\r\nanti-ransomware technology was able to quarantine the malicious file without the use of any signature.\r\nRansomware gangs have shown no mercy, even in this period of dealing with a pandemic. They continue to target\r\nbig companies in order to extort large sums of money.\r\nRDP has been called out as some of the lowest hanging fruit preferred by attackers. However, we also recently\r\nlearned about a new SMB vulnerability allowing remote execution. It is important for defenders to properly map\r\nout all assets, patch them, and never allow them to be publicly exposed.\r\nWe will update this blog post if we come across new relevant information.\r\nIndicators of Compromise (IOCs)\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nPage 11 of 18\n\nHonda related sample:\r\nd4da69e424241c291c173c8b3756639c654432706e7def5025a649730868c4a1 mds.honda.com\r\nEnel related sample:\r\nedef8b955468236c6323e9019abb10c324c27b4f5667bc3f85f3a097b2e5159a\r\nenelint.global\r\nOn June 8, a researcher shared samples of ransomware that supposedly was aimed at Honda and ENEL INT.\r\nWhen we started looking at the code, we found several artefacts that corroborate this possibility.\r\nWhen the malware executes, it will try to resolve to a hardcoded hostname (mds.honda.com). If, and only if it\r\ndoes, will the file encryption begin. The same logic, with a specific hostname, also applied to the ransomware\r\nallegedly tied to Enel.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nPage 12 of 18\n\nTarget: Honda\r\nResolving internal domain: mds.honda.com\r\nRansom e-mail: CarrolBidell@tutanota[.]com\r\nTarget: Enel\r\nResolving internal domain: enelint.global\r\nRansom e-mail: CarrolBidell@tutanota[.]com\r\nRDP as a possible attack vector\r\nBoth companies had some machines with Remote Desktop Protocol (RDP) access publicly exposed (reference\r\nhere). RDP attacks are one of the main entry points when it comes to targeted ransomware opertaions.\r\nRDP Exposed: /AGL632956.jpn.mds.honda.com\r\nRDP Exposed: /IT000001429258.enelint.global\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nPage 13 of 18\n\nHowever, we cannot say conclusively that this is how threat actors may have gotten in. Ultimately, only a proper\r\ninternal investigation will be able to determine exactly how the attackers were able to compromise the affected\r\nnetworks.\r\nDetection\r\nWe tested the ransomware samples publicly available in our lab by creating a fake internal server that would\r\nrespond to the DNS query made by the malware code with the same IP address it expected. We then ran the\r\nsample alleged to be tied to Honda against Malwarebytes Nebula, our cloud-based endpoint protection for\r\nbusinesses.\r\nWe detect this payload as ‘Ransom.Ekans’ when it attempts to execute. In order to test another of our protection\r\nlayers, we also disabled (not recommended) the malware protection to let the behavior engine do its thing. Our\r\nanti-ransomware technology was able to quarantine the malicious file without the use of any signature.\r\nRansomware gangs have shown no mercy, even in this period of dealing with a pandemic. They continue to target\r\nbig companies in order to extort large sums of money.\r\nRDP has been called out as some of the lowest hanging fruit preferred by attackers. However, we also recently\r\nlearned about a new SMB vulnerability allowing remote execution. It is important for defenders to properly map\r\nout all assets, patch them, and never allow them to be publicly exposed.\r\nWe will update this blog post if we come across new relevant information.\r\nIndicators of Compromise (IOCs)\r\nHonda related sample:\r\nd4da69e424241c291c173c8b3756639c654432706e7def5025a649730868c4a1 mds.honda.com\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nPage 14 of 18\n\nEnel related sample:\r\nedef8b955468236c6323e9019abb10c324c27b4f5667bc3f85f3a097b2e5159a\r\nenelint.global\r\nCar manufacturer Honda has been hit by a cyber attack, according to a report published by the BBC, and later\r\nconfirmed by the company in a tweet. Another similar attack, also disclosed on Twitter, hit Edesur S.A., one of the\r\ncompanies belonging to Enel Argentina which operates in the business of energy distribution in the City of Buenos\r\nAires.\r\nBased on samples posted online, these incidents may be tied to the EKANS/SNAKE ransomware family. In this\r\nblog post, we review what is known about this ransomware strain and what we have been able to analyze so far.\r\nTargeted ransomware with a liking for ICS\r\nFirst public mentions of EKANS ransomware date back to January 2020, with security researcher Vitali Kremez\r\nsharing information about a new targeted ransomware written in GOLANG.\r\nThe group appears to have a special interest for Industrial Control Systems (ICS), as detailed in this blog post by\r\nsecurity firm Dragos.\r\nOn June 8, a researcher shared samples of ransomware that supposedly was aimed at Honda and ENEL INT.\r\nWhen we started looking at the code, we found several artefacts that corroborate this possibility.\r\nWhen the malware executes, it will try to resolve to a hardcoded hostname (mds.honda.com). If, and only if it\r\ndoes, will the file encryption begin. The same logic, with a specific hostname, also applied to the ransomware\r\nallegedly tied to Enel.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nPage 15 of 18\n\nTarget: Honda\r\nResolving internal domain: mds.honda.com\r\nRansom e-mail: CarrolBidell@tutanota[.]com\r\nTarget: Enel\r\nResolving internal domain: enelint.global\r\nRansom e-mail: CarrolBidell@tutanota[.]com\r\nRDP as a possible attack vector\r\nBoth companies had some machines with Remote Desktop Protocol (RDP) access publicly exposed (reference\r\nhere). RDP attacks are one of the main entry points when it comes to targeted ransomware opertaions.\r\nRDP Exposed: /AGL632956.jpn.mds.honda.com\r\nRDP Exposed: /IT000001429258.enelint.global\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nPage 16 of 18\n\nHowever, we cannot say conclusively that this is how threat actors may have gotten in. Ultimately, only a proper\r\ninternal investigation will be able to determine exactly how the attackers were able to compromise the affected\r\nnetworks.\r\nDetection\r\nWe tested the ransomware samples publicly available in our lab by creating a fake internal server that would\r\nrespond to the DNS query made by the malware code with the same IP address it expected. We then ran the\r\nsample alleged to be tied to Honda against Malwarebytes Nebula, our cloud-based endpoint protection for\r\nbusinesses.\r\nWe detect this payload as ‘Ransom.Ekans’ when it attempts to execute. In order to test another of our protection\r\nlayers, we also disabled (not recommended) the malware protection to let the behavior engine do its thing. Our\r\nanti-ransomware technology was able to quarantine the malicious file without the use of any signature.\r\nRansomware gangs have shown no mercy, even in this period of dealing with a pandemic. They continue to target\r\nbig companies in order to extort large sums of money.\r\nRDP has been called out as some of the lowest hanging fruit preferred by attackers. However, we also recently\r\nlearned about a new SMB vulnerability allowing remote execution. It is important for defenders to properly map\r\nout all assets, patch them, and never allow them to be publicly exposed.\r\nWe will update this blog post if we come across new relevant information.\r\nIndicators of Compromise (IOCs)\r\nHonda related sample:\r\nd4da69e424241c291c173c8b3756639c654432706e7def5025a649730868c4a1 mds.honda.com\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nPage 17 of 18\n\nEnel related sample:\r\nedef8b955468236c6323e9019abb10c324c27b4f5667bc3f85f3a097b2e5159a\r\nenelint.global\r\nSource: https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/"
	],
	"report_names": [
		"honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434956,
	"ts_updated_at": 1775791234,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2a75b7ed663c942bbca1250227eda4413175e369.pdf",
		"text": "https://archive.orkl.eu/2a75b7ed663c942bbca1250227eda4413175e369.txt",
		"img": "https://archive.orkl.eu/2a75b7ed663c942bbca1250227eda4413175e369.jpg"
	}
}