Acer suffered a REvil ransomware attack that attracted the highest ransomware demand in history. The threat actor behind the attack shared some of the pilfered files as proof of responsibility.
However, the Taiwanese electronic behemoth was reluctant to acknowledge a ransomware attack. Instead, the company cited “reported abnormal situations” and claimed to be “constantly under attack.”
With a workforce of 7,000, annual revenue of $7.8 billion in 2019, and $3 billion in earnings in Q4 2020, Acer ranks among the most popular brands to fall victim to ransomware attacks.
REvil ransomware attack on Acer the most expensive in history
The ransomware gang that breached Acer demanded possibly the highest ransom demand of $50 million or XMR 214,151 (Monero), according to BleepingComputer. The previous record was a $30 million ransom payment demanded from Dairy Farm, also by the same ransomware group.
REvil ransomware released some of Acer’s exfiltrated files on its “Happy Blog” to prove its responsibility for the ransomware attack.
Documents published include bank balances, bank communications, and financial spreadsheets. When contacted by Bleeping Computer, Acer refused to confirm or deny suffering a REvil ransomware attack.
Instead, the electronics giant released a statement claiming that “Acer routinely monitors its IT systems, and most cyberattacks are well defensed.”
Additionally, the company claimed that organizations of its stature were constantly under attack. It also admitted reporting “abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.”
“We have been continuously enhancing our cybersecurity infrastructure to protect business continuity and our information integrity,” Acer said. Upon further prodding, the company said that an ongoing investigation prevented it from sharing more information “for the sake of security.”
Acer warned organizations to remain vigilant against abnormal network activity. Likely, the company was wary that the attackers could exploit its products to carry out a supply chain attack similar to SolarWinds.
However, the attackers offered a 20% discount if the payment was made Wednesday, March 17, according to private chats between an Acer representative and the REvil ransomware gang as reported by BleepingComputer.
The threat actor also promised to provide a decryptor and a vulnerability report to prevent Acer from falling victim to other cybercriminals. Several companies have fallen victims to subsequent ransomware attacks immediately after paying a ransom.
REvil also warned that the ransom demand would double to $100 million if Acer failed to pay on time. Similarly, the cybercriminal gang would publish the data it allegedly stole from Acer if the company failed to pay by March 28.
BleepingComputer also reported that REvil ransomware warned Acer not to repeat SolarWinds’ mistakes.
REvil ransomware exploited Acer via Microsoft Exchange server
Advanced Intel’s cyber intelligence platform Andariel reported that the REvil ransomware gang attempted to exploit Acer’s Microsoft Exchange server.
The Microsoft Exchange vulnerabilities are blamed for exploits affecting over 30,000 U.S. organizations. If Acer’s ransomware attack originated from Microsoft Exchange vulnerabilities, it would be the first high-profile ransomware attack associated with the popular mail server software hack.
Microsoft Exchange email server hack was attributed to Chinese state-sponsored threat actors “HAFNIUM.” Coincidentally, Taiwan and China are sworn enemies with the latter threatening military action against the island nation which it considers part of its territory. However, the REvil ransomware attack on Acer appears to have no political motives.
REvil ransomware group is also attributed to the Travelex ransomware attack in 2020 that attracted an initial $6 million ransom demand. The gang settled on a $2.3 million payment in Bitcoins.
“It was only a matter of time before the recent Microsoft Exchange vulnerability exploited an organization, and in the current climate, it was swift,” James McQuiggan, security awareness advocate at KnowBe4, said. “The WannaCry ransomware from 2017 utilized the EternalBlue exploit and took only a few months before a massive attack occurred. With this attack, it took just weeks.”
He advises organizations to maintain a multi-layer network infrastructure to reduce the chances of criminals accessing sensitive data. He also recommended security awareness training and monitoring endpoints for data transfers to unusual destinations during odd hours.
“Ransomware is just another type of malware,” adds Brent Johnson, CISO at Bluefin. “It’s very important to employ multiple layers of security and monitoring controls in your environment to help prevent this type of exposure. Keeping virus signatures and patching up to date, as well as maintaining recent or real-time backups can also help limit the efficacy of this type of attack.”
Oliver Tavakoli, CTO at Vectra, predicts that Microsoft Exchange server vulnerability would be leveraged by various threat actors for various objectives.
“Targeted ransomware actors like REvil will see this as a particular boon as the many bespoke steps of an attack (infiltration, reconnaissance, gaining access to valuable data) can be short-circuited with a direct attack on an organization’s Exchange server,” Tavakoli noted. “The size of the ransom request comes down to threat actors testing the market with a fantastical opening gambit – I would guess that Acer would either pay no ransom or would negotiate a much-reduced amount.”
Commenting on Acer’s REvil ransomware attack, Ivan Righi, Cyber Threat Intelligence Analyst at Digital Shadows, says:
“The REvil ransomware group is known for its high ransom demands, with a recent example being its USD 30 million ransom demanded from Dairy Farm in February 2021. It is not known if any of REvil’s victims have paid these exorbitant ransom demands, although it is unlikely. The large demand suggests that REvil likely exfiltrated information that is highly confidential, or information that could be used to launch cyberattacks on Acer’s customers.”
He noted that the REvil ransomware gang allegedly targeted Microsoft Exchange server vulnerabilities, an attack vector that was becoming popular with many cybercriminals.
“Other ransomware groups targeting ProxyLogon vulnerabilities have included “DearCry” and “BlackKingdom”, but it is likely there are more undiscovered instances in the wild. Mitigation for Exchange server vulnerabilities includes applying the security updates issued by Microsoft and scanning systems for traces of attacks.”
According to Righi, other popular attack vectors include weaponized attachments via phishing and remote desktop protocols (RDP).
“Ransomware operators also may target systems that are pre-infected with other types of malware. Organizations should create a robust security awareness program that trains employees to identify suspicious emails and report them to an incident response authority. Organizations should also restrict RDP behind an RDP Gateway and enable Network Level Authentication to provide security benefits if RDP is required to be Internet-facing.”