REvil continues ransomware attack streak with takeover of laptop maker Acer


REvil previously infected the networks of Honda, the makers of Jack Daniels and a significant-profile regulation firm symbolizing Donald Trump.

Picture: Acer

Cyberattackers at the rear of the REvil ransomware have claimed yet another victim, this time international laptop computer conglomerate Acer, and are demanding a file $50 million ransom. 

First documented by Bleeping Computer system, the attackers introduced that they had breached Acer’s units on Friday by putting up economical paperwork and financial institution varieties from the Taiwanese notebook, desktop and keep track of maker.

SEE: Id theft security plan (TechRepublic High quality)

Acer despatched out the exact statement to numerous news shops, refusing to validate or deny the attack and only expressing businesses like it “are consistently under assault, and we have described modern abnormal conditions observed to the related law enforcement and info security authorities in multiple international locations.”

“Acer learned abnormalities from March and straight away initiated stability and precautionary actions. Acer’s inside stability mechanisms proactively detected the abnormality, and straight away initiated security and precautionary actions,” the company stated in a assertion to ZDNet. 

Subsequent reporting about the weekend from LeMagIT and SearchSecurity discovered the attackers wished the $50 million paid out in Monero cryptocurrency and made available to slice the price by 20% if payment was delivered on March 17, which it seems it was not. 

ComputerWeekly, a sister web page of LeMagIT and SearchSecurity, noted that Acer’s negotiators allegedly made available $10 million, which was turned down by the attackers, who gave a March 28 deadline for payment. If the ransom is not paid out by that day, it will be doubled, in accordance to ComputerWeekly. 

Bleeping Laptop had a photograph of the ransom demand and reported Acer’s reps began talking with the attackers on March 14. SearchSecurity uncovered that evidence of the hack was posted to the “Delighted Weblog” wherever REvil attackers typically submit the data they steal. 

Bleeping Pc also described that there are some indications showing the people at the rear of REvil made use of a Microsoft Trade server on Acer’s area, probably generating it a single of the first situations a ransomware team leveraged a heavily publicized vulnerability to entire an assault. 

“It was only a make any difference of time in advance of the modern Microsoft Trade vulnerability exploited an corporation, and in the latest climate, it was swift,” claimed James McQuiggan, stability awareness advocate at KnowBe4. “The WannaCry ransomware from 2017 utilized the EternalBlue exploit and took only a few months just before a significant attack transpired. With this attack, it took just weeks.”

Oliver Tavakoli, CTO at Vectra, said that businesses must count on that the Microsoft Exchange Server vulnerabilities will be leveraged by a quantity of actors with varying objectives around the coming weeks and months. 

SEE: Social engineering: A cheat sheet for enterprise industry experts (free PDF) (TechRepublic)

Specific ransomware actors like REvil will see this as a certain boon as the quite a few bespoke techniques of an attack—infiltration, reconnaissance, getting access to useful data—can be small-circuited with a immediate attack on an organization’s Trade Server, Tavakoli explained. 

“The sizing of the ransom ask for arrives down to risk actors screening the marketplace with a fantastical opening gambit—I would guess that Acer would possibly pay no ransom or would negotiate a a great deal-lessened volume,” Tavakoli extra. 

The $50 million figure is considered the greatest ransom to at any time be demanded by ransomware attackers, according to ZDNet, which mentioned the preceding large was $30 million. 

The group driving the REvil ransomware has built thousands and thousands given that rising in 2019. Interpol was viewing the team commencing past March, when it described that the gang was focusing on brands in March and wholesale distributors in April. 

Ivan Righi, cyber threat intelligence analyst at Digital Shadows, claimed the REvil ransomware team is recognized for its higher ransom needs and referenced a current attack in February wherever the group demanded $30 million ransom from Dairy Farm, a pan-Asian retailer. 

“The big demand implies that REvil very likely exfiltrated information and facts that is really private, or data that could be applied to launch cyber assaults on Acer’s customers,” Righi mentioned. 

In 2020, the team launched many superior profile assaults focusing on organizations like revenue transfer support Travelex, Honda, Jack Daniels maker Brown-Forman and regulation company Grubman Shire Meiselas & Sacks, which signifies major figures like former President Donald Trump, Rod Stewart, Girl Gaga, Madonna and Robert De Niro. 

It is unclear regardless of whether the businesses attacked paid the ransoms, but Atlas VPN reported that Travelex did conclusion up shelling out REvil $2.3 million. Malwarebytes’ 2021 Point out of Malware report explained the REvil attackers claimed to have created $100 million in 2020, typically from demanding payment for not submitting stolen info.

The team was so prosperous in 2020 that it started keeping dim internet competitions in purchase to recruit new associates and grow, even depositing $1 million into a person discussion board as evidence of their economical feats, according to a report from Electronic Shadows. 

“Refined cyber felony organizations like REvil realize the essential elements of info security and have produced a double-whammy attack style which leaves their victims susceptible on both of those fronts. They will often search for to encrypt and exfiltrate details to give on their own far more vectors of leverage to extort funds for its decryption and/or harmless return,” explained Brian Higgins, stability professional at Comparitech.

“Some providers have paid huge sums for the latter in the previous, trusting their blackmailers when they say that they haven’t shared or marketed the info prior to its harmless return. But they are structured criminals, so can you definitely hope them to be telling the truth of the matter when they stand to make hundreds of thousands in ransoms and even a lot more for promoting the information to other felony organizations?”

All those powering the ransomware even established an-eBay like forum where by men and women could bid on stolen facts working with Monero cryptocurrency, Application Gate pointed out in a report very last year. 

Brent Johnson, CISO at Bluefin, explained it is not ample to just have backups of knowledge any more, urging enterprises to encrypt or tokenize sensitive data to make it much less useful for attackers. 

“If not, hackers can leverage clear-textual content information to demand companies pay back, or they will expose the knowledge in what is currently being identified as a ‘double-extortion’ scheme,” Johnson claimed.

Other cybersecurity industry experts targeted on the use of Microsoft Trade vulnerability as 1 of the most regarding features of the attack. 

Netenrich main facts protection officer Brandon Hoffman noted that attackers are eager to acquire benefit of the Microsoft Trade vulnerability because it has been a very long time considering the fact that a technologies so prolific was so quickly exploited. 

“The identify of the sport in ransomware is finding effortless entry factors, and that is what the Exchange vulnerability offered. The third consideration is that cyber criminals have been investing their time in provide chain and developer device attacks, which has reduced the aim on ransomware assaults considering the fact that they are now enjoying the ‘long sport,'” Hoffman mentioned. 

“This provides an opportunity in alone due to the fact attackers who observed the payoff from these source chain assaults still left a gap where by ransomware operators have far more obtainable attack surface area (indicating ransomware will develop into a bull market all over again).”

Also see



Resource backlink