REvil continues ransomware attack streak with takeover of laptop maker Acer

REvil previously infected the networks of Honda, the makers of Jack Daniels and a high-profile law firm representing Donald Trump.

Acer Nitro 5 laptop

Image: Acer

More about cybersecurity

Cyberattackers behind the REvil ransomware have claimed another victim, this time global laptop conglomerate Acer, and are demanding a record $50 million ransom. 

First reported by Bleeping Computer, the attackers announced that they had breached Acer’s systems on Friday by posting financial documents and bank forms from the Taiwanese laptop, desktop and monitor maker.

SEE: Identity theft protection policy (TechRepublic Premium)

Acer sent out the same statement to multiple news outlets, refusing to confirm or deny the attack and only saying companies like it “are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.”

“Acer discovered abnormalities from March and immediately initiated security and precautionary measures. Acer’s internal security mechanisms proactively detected the abnormality, and immediately initiated security and precautionary measures,” the company said in a statement to ZDNet. 

Subsequent reporting over the weekend from LeMagIT and SearchSecurity found the attackers wanted the $50 million paid in Monero cryptocurrency and offered to cut the price by 20% if payment was delivered on March 17, which it appears it was not. 

ComputerWeekly, a sister site of LeMagIT and SearchSecurity, reported that Acer’s negotiators allegedly offered $10 million, which was turned down by the attackers, who gave a March 28 deadline for payment. If the ransom is not paid by that date, it will be doubled, according to ComputerWeekly. 

Bleeping Computer had a photo of the ransom demand and said Acer’s representatives began speaking with the attackers on March 14. SearchSecurity found that evidence of the hack was posted to the “Happy Blog” where REvil attackers generally post the information they steal. 

Bleeping Computer also reported that there are some indications showing the people behind REvil used a Microsoft Exchange server on Acer’s domain, potentially making it one of the first times a ransomware group leveraged a heavily publicized vulnerability to complete an attack. 

“It was only a matter of time before the recent Microsoft Exchange vulnerability exploited an organization, and in the current climate, it was swift,” said James McQuiggan, security awareness advocate at KnowBe4. “The WannaCry ransomware from 2017 utilized the EternalBlue exploit and took only a few months before a massive attack occurred. With this attack, it took just weeks.”

Oliver Tavakoli, CTO at Vectra, said that organizations should expect that the Microsoft Exchange Server vulnerabilities will be leveraged by a number of actors with varying objectives over the coming weeks and months. 

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Targeted ransomware actors like REvil will see this as a particular boon as the many bespoke steps of an attack—infiltration, reconnaissance, gaining access to valuable data—can be short-circuited with a direct attack on an organization’s Exchange Server, Tavakoli explained. 

“The size of the ransom request comes down to threat actors testing the market with a fantastical opening gambit—I would guess that Acer would either pay no ransom or would negotiate a much-reduced amount,” Tavakoli added. 

The $50 million figure is considered the largest ransom to ever be demanded by ransomware attackers, according to ZDNet, which said the previous high was $30 million. 

The group behind the REvil ransomware has made millions since emerging in 2019. Interpol was watching the group starting last March, when it reported that the gang was targeting manufacturers in March and wholesale distributors in April. 

Ivan Righi, cyber threat intelligence analyst at Digital Shadows, said the REvil ransomware group is known for its high ransom demands and referenced a recent attack in February where the group demanded $30 million ransom from Dairy Farm, a pan-Asian retailer. 

“The large demand suggests that REvil likely exfiltrated information that is highly confidential, or information that could be used to launch cyber attacks on Acer’s customers,” Righi said. 

In 2020, the group launched several high profile attacks targeting companies like money transfer service Travelex, Honda, Jack Daniels maker Brown-Forman and law firm Grubman Shire Meiselas & Sacks, which represents major figures like former President Donald Trump, Rod Stewart, Lady Gaga, Madonna and Robert De Niro. 

It is unclear whether the organizations attacked paid the ransoms, but Atlas VPN reported that Travelex did end up paying REvil $2.3 million. Malwarebytes’ 2021 State of Malware report said the REvil attackers claimed to have made $100 million in 2020, mostly from demanding payment for not posting stolen data.

The group was so successful in 2020 that it began holding dark web competitions in order to recruit new members and expand, even depositing $1 million into one forum as proof of their financial feats, according to a report from Digital Shadows. 

“Sophisticated cyber criminal organizations like REvil understand the basic elements of information security and have developed a double-whammy attack style which leaves their victims vulnerable on both fronts. They will always seek to encrypt and exfiltrate data to give themselves more vectors of leverage to extort money for its decryption and/or safe return,” said Brian Higgins, security specialist at Comparitech.

“Some companies have paid large sums for the latter in the past, trusting their blackmailers when they say that they haven’t shared or sold the data prior to its safe return. But they are organized criminals, so can you really expect them to be telling the truth when they stand to make millions in ransoms and even more for selling the data to other criminal organizations?”

Those behind the ransomware even created an-eBay like forum where people could bid on stolen data using Monero cryptocurrency, App Gate noted in a report last year

Brent Johnson, CISO at Bluefin, said it is not enough to simply have backups of data anymore, urging enterprises to encrypt or tokenize sensitive data to make it less valuable for attackers. 

“If not, hackers can leverage clear-text data to demand companies pay, or they will expose the data in what is being called a ‘double-extortion’ scheme,” Johnson said.

Other cybersecurity experts focused on the use of Microsoft Exchange vulnerability as one of the most concerning aspects of the attack. 

Netenrich chief information security officer Brandon Hoffman noted that attackers are eager to take advantage of the Microsoft Exchange vulnerability because it has been a long time since a technology so prolific was so easily exploited. 

“The name of the game in ransomware is finding easy entry points, and that is what the Exchange vulnerability presented. The third consideration is that cyber criminals have been investing their time in supply chain and developer tool attacks, which has reduced the focus on ransomware attacks since they are now playing the ‘long game,'” Hoffman said. 

“This presents an opportunity in itself because attackers who saw the payoff from these supply chain attacks left a gap where ransomware operators have more available attack surface (meaning ransomware will become a bull market again).”

Also see