Acer Attacked
Acer is a Taiwanese multinational specializing in computer hardware and advanced electronics. As of January 2021, the company is the sixth-largest PC vendor with consolidated revenues of around US $9.7 billion. The company was reportedly attacked by the REvil ransomware group last week, who then published various Acer documents over the weekend as proof of the breach. REvil, also known as Sodinokibi, was first discovered in 2019 by the threat intelligence firm Cisco Talos. The group is regarded as one of the most dangerous and most active ransomware groups around. REvil used Tor to publish Acer’s stolen documents, which included financial spreadsheets, bank balances and bank communications. Acer has not confirmed the breach nor what steps it is taking to rectify the problem. The only statement from Acer regarding the alleged ransomware attack says that they “reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries”.
Highest Known Ransom Demand Thus Far
According to the French news site LeMagIT, REvil have demanded that Acer pay a ransom of US $50 million. Once the payment is received, REvil indicated they would provide a decryptor and a vulnerability report. Furthermore, the cybercriminals promised to delete the stolen files. REvil allegedly offered Acer a 20% discount if the ransom payment reached them by last Wednesday. The group also advised they would increase the ransom to $100 million if the ransom isn’t paid by 28 March. Finally, the group warned Acer “to not repeat the fate of the SolarWind.” It is not known whether Acer has paid the ransom demanded or not. The $50 million ransom is the highest known ransom demand to date by any ransomware group. The previous highest ransoms were from the Dairy Farm cyberattack and the Grubman Shire Meiselas & Sacks law firm attack. Both these attacks were conducted by REvil and demanded $30 million and $42 million respectively. Late last year, REvil also attacked Travelex causing the company to go into administration.
Attack Possibly Leveraged ProxyLogon Vulnerabilities
Information gathered through Advanced Intelligence’s Andariel cyber-intelligence platform indicates that a REvil affiliate cybergroup targeted an Acer Microsoft Exchange server. Advanced Intelligence CEO, Vitali Kremez, stated that their cyber-intelligence system “detected that one particular REvil affiliate pursued Microsoft Exchange weaponization.” If this is true, REvil is not the first ransomware group to take advantage of Microsoft Exchange Server ProxyLogon vulnerabilities. Last week DearCry was also seen leveraging these vulnerabilities. However, DearCry is a relatively small operation which is likely to have few victims, hitting small to medium businesses. REvil on the other hand, is a big game-hunting ransomware operation capable of attacking many major corporations, should they have had vulnerable Exchange servers. REvil is the first of such large ransomware operations to exploit the ProxyLogon vulnerabilities.