Acer Reportedly Targeted by Ransomware GangPC and Device Maker Appears to Have Been Targeted by REvil
This story has been updated.
Acer, one of the world's largest PC and device makers, has been targeted by the ransomware gang REvil, aka Sobinokibi, according to news reports.
On Thursday, the REvil gang posted what it claims is Acer company data to its darknet "news" site. It's demanding $50 million from the Taiwanese firm, according to Bleeping Computer, which first reported the attack and has since published a copy of the ransom note. Bleeping Computer also reports the attack may have taken advantage of the ProxyLogon flaw in an unpatched on-premises Microsoft Exchange server.
Acer has not confirmed it has been attacked or if data posted to the REvil darknet site is legitimate. A company official told Bleeping Computer: "There is an ongoing investigation and for the sake of security, we are unable to comment on details."
A source provided Information Security Media Group with several screenshots from the REvil darknet site that show customer data, payment application forms and other information that the gang claims it stole from Acer during an attack.
An Acer spokesman told ISMG on Sunday: "Acer routinely monitors its IT systems, and most cyberattacks are well defensed. Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries."
The company spokesman added: "We have been continuously enhancing our cybersecurity infrastructure to protect business continuity and our information integrity. We urge all companies and organizations to adhere to cybersecurity disciplines and best practices, and be vigilant to any network activity abnormalities."
Acer is one of the world's largest manufacturers of PCs, smartphones, devices and other hardware, including desktop monitors. In the fourth quarter of 2020, it ranked fifth in worldwide PC shipments, with more than 6.5 million desktops and laptops shipped during the quarter, according to a January analysis published by IDC.
REvil is one of several cybercriminal gangs that practice what analysts call a double extortion method that targets victims. Not only does the group use crypto-locking malware to encrypt data and files at a victimized organization, but the cybercrooks then steal and threaten to publish that information if demands are not met. This puts additional pressure on victims to pay.
Besides its extortion methods, REvil is known to demand multimillion-dollar payments from victims to return data and decrypt files. For instance, Travelex, a London-based foreign currency exchange that does business in 26 countries, including the U.S., paid the ransomware gang $2.3 million in 2020 to regain access to its data following an attack (see: Travelex Paid $2.3 Million to Ransomware Gang: Report).
And while REvil has demanded and received million-dollar payments, the reported $50 million extortion attempt against Acer is highly unusual and is likely designed to get the company to at least pay a portion of that, says Brett Callow, a security threat analyst at security firm Emsisoft.
"When groups make enormous demands like this, I’m not sure they actually expect to be paid - at least not their full ask," Callow says. "To my mind, it’s far more likely that the demand is intended to encourage companies to up their policy limits and make them feel lucky - and so more likely to pay - when they get hit with a 'modest' demand of $10 million."
Over the weekend, security researchers continued to investigate the possibility that REvil or one of its affiliates may have used one of the four vulnerabilities in Microsoft Exchange servers as part of the reported attacks on Acer.
Yelisey Boguslavskiy, head of research for security firm Advanced Intelligence, says that while REvil and its affiliates often exploit flaws in Pulse Secure VPN servers as part of their initial attacks, ransomware gangs have recently begun expressing interest in taking advantage of vulnerabilities that have been found in Exchange servers.
"Moreover, with the darkweb chatter analysis, we have identified strong interest from ransomware groups in the four novel Microsoft CVEs, primarily the aspect of data exfiltration," Boguslavskiy says. "All this makes us believe that the REvil members and affiliates were exploring server vulnerabilities, possibly for Acer, in order to identify a week spot and commit an intrusion."
On March 9, researchers with Sophos spotted a new ransomware variant in the wild called DearCry, which appears to have been rushed into use to take advantage of one of the four Exchange vulnerabilities, specifically the proxy-logon flaw known as CVE-2021-26855. This is the same vulnerability that REvil reportedly used against Acer (see: Rushed to Market: DearCry Ransomware Targeting Exchange Bug).
On Sunday, security researcher Marcus Hutchins, aka "MalwareTech," published a report on Twitter about a group scanning for Exchange servers that are prone to the ProxyLogon vulnerability. He said the group claims to be deploying a ransomware variant called "BlackKingdom," although the malware does not appear to encrypt files or exfiltrate data, but instead drops a ransom note to victims with threats and payment demands.
Profits for ransomware gangs continue to rise, according to security researchers.
Earlier this month, Blockchain analysis firm Chainalysis published a report that found about $370 million in known ransomware profits in 2020 from ransom payments. This is a staggering 336% increase over known 2019 earnings (see: Mark of Ransomware's Success: $370 Million in 2020 Profits).
One possible reason for this uptick in ransomware profits is that gangs are targeting critical infrastructure, such as government entities and healthcare organizations, which have been overwhelmed by the COVID-19 pandemic, according to an analysis by Trend Micro.
During this time, REvil, or Sodinokibi, has been one of the most prolific ransomware gangs operating. IBM Security X-Force found that about 22% of all ransomware incidents it investigated in 2020 involved REvil, and the gang reportedly bragged on a Russian underground forum that it had earned $12 million in 12 months.
REvil is also known to target vulnerable remote connections to gain a foothold in networks as part of its attacks. For example, when the gang targeted the celebrity New York law firm Grubman Shire Meiselas & Sacks, the cybercriminals appeared to take advantage of a flaw in a Pulse Secure VPN server to gain a foothold (see: Hacked Law Firm May Have Had Unpatched Pulse Secure VPN).