REvil continues ransomware assault streak with takeover of laptop computer maker Acer

REvil beforehand contaminated the networks of Honda, the makers of Jack Daniels and a high-profile legislation agency representing Donald Trump.

Cyberattackers behind the REvil ransomware have claimed one other sufferer, this time world laptop computer conglomerate Acer, and are demanding a document $50 million ransom.

First reported by Bleeping Pc, the attackers introduced that they’d breached Acer’s programs on Friday by posting monetary paperwork and financial institution types from the Taiwanese laptop computer, desktop and monitor maker.

SEE: Id theft safety coverage (TechRepublic Premium)

Acer despatched out the identical assertion to a number of information shops, refusing to substantiate or deny the assault and solely saying corporations prefer it “are consistently beneath assault, and now we have reported latest irregular conditions noticed to the related legislation enforcement and information safety authorities in a number of international locations.”

“Acer found abnormalities from March and instantly initiated safety and precautionary measures. Acer’s inside safety mechanisms proactively detected the abnormality, and instantly initiated safety and precautionary measures,” the corporate mentioned in a press release to ZDNet.

Subsequent reporting over the weekend from LeMagIT and SearchSecurity discovered the attackers wished the $50 million paid in Monero cryptocurrency and supplied to chop the worth by 20% if fee was delivered on March 17, which it seems it was not.

ComputerWeekly, a sister website of LeMagIT and SearchSecurity, reported that Acer’s negotiators allegedly supplied $10 million, which was turned down by the attackers, who gave a March 28 deadline for fee. If the ransom isn’t paid by that date, will probably be doubled, based on ComputerWeekly.

Bleeping Pc had a photograph of the ransom demand and mentioned Acer’s representatives started talking with the attackers on March 14. SearchSecurity discovered that proof of the hack was posted to the “Completely happy Weblog” the place REvil attackers typically submit the knowledge they steal.

Bleeping Pc additionally reported that there are some indications exhibiting the individuals behind REvil used a Microsoft Change server on Acer’s area, doubtlessly making it one of many first instances a ransomware group leveraged a closely publicized vulnerability to finish an assault.

“It was solely a matter of time earlier than the latest Microsoft Change vulnerability exploited a company, and within the present local weather, it was swift,” mentioned James McQuiggan, safety consciousness advocate at KnowBe4. “The WannaCry ransomware from 2017 utilized the EternalBlue exploit and took just a few months earlier than a large assault occurred. With this assault, it took simply weeks.”

Oliver Tavakoli, CTO at Vectra, mentioned that organizations ought to count on that the Microsoft Change Server vulnerabilities can be leveraged by numerous actors with various goals over the approaching weeks and months.

SEE: Social engineering: A cheat sheet for enterprise professionals (free PDF) (TechRepublic)

Focused ransomware actors like REvil will see this as a selected boon as the various bespoke steps of an assault—infiltration, reconnaissance, getting access to priceless information—might be short-circuited with a direct assault on a company’s Change Server, Tavakoli defined.

“The scale of the ransom request comes right down to menace actors testing the market with a fantastical opening gambit—I might guess that Acer would both pay no ransom or would negotiate a much-reduced quantity,” Tavakoli added.

The $50 million determine is taken into account the most important ransom to ever be demanded by ransomware attackers, based on ZDNet, which mentioned the earlier excessive was $30 million.

The group behind the REvil ransomware has made tens of millions since rising in 2019. Interpol was watching the group beginning final March, when it reported that the gang was focusing on producers in March and wholesale distributors in April.

Ivan Righi, cyber menace intelligence analyst at Digital Shadows, mentioned the REvil ransomware group is thought for its excessive ransom calls for and referenced a latest assault in February the place the group demanded $30 million ransom from Dairy Farm, a pan-Asian retailer.

“The big demand means that REvil probably exfiltrated data that’s extremely confidential, or data that could possibly be used to launch cyber assaults on Acer’s prospects,” Righi mentioned.

In 2020, the group launched a number of excessive profile assaults focusing on corporations like cash switch service Travelex, Honda, Jack Daniels maker Brown-Forman and legislation agency Grubman Shire Meiselas & Sacks, which represents main figures like former President Donald Trump, Rod Stewart, Girl Gaga, Madonna and Robert De Niro.

It’s unclear whether or not the organizations attacked paid the ransoms, however Atlas VPN reported that Travelex did find yourself paying REvil $2.3 million. Malwarebytes’ 2021 State of Malware report mentioned the REvil attackers claimed to have made $100 million in 2020, largely from demanding fee for not posting stolen information.

The group was so profitable in 2020 that it started holding darkish net competitions as a way to recruit new members and develop, even depositing $1 million into one discussion board as proof of their monetary feats, based on a report from Digital Shadows.

“Subtle cyber felony organizations like REvil perceive the fundamental components of knowledge safety and have developed a double-whammy assault fashion which leaves their victims susceptible on each fronts. They’ll at all times search to encrypt and exfiltrate information to provide themselves extra vectors of leverage to extort cash for its decryption and/or protected return,” mentioned Brian Higgins, safety specialist at Comparitech.

“Some corporations have paid giant sums for the latter prior to now, trusting their blackmailers after they say that they have not shared or offered the info previous to its protected return. However they’re organized criminals, so can you actually count on them to be telling the reality after they stand to make tens of millions in ransoms and much more for promoting the info to different felony organizations?”

These behind the ransomware even created an-eBay like discussion board the place individuals may bid on stolen information utilizing Monero cryptocurrency, App Gate famous in a report final 12 months.

Brent Johnson, CISO at Bluefin, mentioned it isn’t sufficient to easily have backups of knowledge anymore, urging enterprises to encrypt or tokenize delicate information to make it much less priceless for attackers.

“If not, hackers can leverage clear-text information to demand corporations pay, or they’ll expose the info in what’s being referred to as a ‘double-extortion’ scheme,” Johnson mentioned.

Different cybersecurity consultants targeted on using Microsoft Change vulnerability as probably the most regarding facets of the assault.

Netenrich chief data safety officer Brandon Hoffman famous that attackers are desperate to make the most of the Microsoft Change vulnerability as a result of it has been a very long time since a know-how so prolific was so simply exploited.

“The secret in ransomware is discovering straightforward entry factors, and that’s what the Change vulnerability introduced. The third consideration is that cyber criminals have been investing their time in provide chain and developer software assaults, which has diminished the deal with ransomware assaults since they’re now enjoying the ‘lengthy sport,'” Hoffman mentioned.

“This presents a possibility in itself as a result of attackers who noticed the payoff from these provide chain assaults left a niche the place ransomware operators have extra obtainable assault floor (which means ransomware will turn out to be a bull market once more).”