REvil ransomware gang reportedly exploited Microsoft Exchange server flaw to attack Taiwanese PC giant Acer with mammoth demand
Taiwanese PC giant Acer is facing a $50 million ransom demand after it was attacked last week by a REvil ransomware attack.
According to BleepingComputer, the ransomware gang announced on their data leak website that they had breached Acer and shared some images of allegedly stolen files as proof.
Leaked images reportedly included financial spreadsheets, bank balances, and bank communications.
Acer did not provide a clear answer to BleepingComputer’s inquiries, but did state that they “reported recent abnormal situations” to relevant authorities.
“Acer routinely monitors its IT systems, and most cyberattacks are well defensed,” it was quoted as saying. “Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.”
“We have been continuously enhancing our cybersecurity infrastructure to protect business continuity and our information integrity,” it added. “We urge all companies and organisations to adhere to cyber security disciplines and best practices, and be vigilant to any network activity abnormalities.”
Acer reportedly added “there is an ongoing investigation and for the sake of security, we are unable to comment on details.”
BleepingComputer also reported that the Revil gang had recently targeted a Microsoft Exchange server on Acer’s domain, citing Vitali Kremez, CEO of Advanced Intel as its source.
This has prompted a reaction from security experts, who warn that ransomware attacks means that organisations have to ensure they have safeguarded access to their data.
“Ransomware is no longer just about encrypting files but also stealing the data making it a multifunctional weapon,” noted Joseph Carson, chief security scientist at Thycotic. “If a company has a solid backup to restore systems then the criminal gang can threaten to disclose damaging data that could directly impact the stock price, brand, employees and potential customers.”
“What we are seeing with ransomware is that cybercriminals continue to abuse privileged access which enables them to steal sensitive data and deploy malicious ransomware,” said Carson. “This means that organisations should prioritise privileged access as a top security measure to reduce the risks of ransomware and ensure strong access controls and encryption for sensitive data.”
“Companies must take ransomware very seriously as it will continue to be the biggest cyber threats, and as we can see from this eye-wateringly high ransom demand – the price you pay for not being prepared is on the rise,” said Carson. “It only takes one employee with local admin privileges clicking on a malicious email attachment to take down an entire company.”
Another expert pointed out that gangs are now using ransomware as the main source of their criminal income.
“Ransomware attacks are a major source of income for cybercriminals with a huge reward for very little effort,” said Richard Hughes, head of technical cyber Security at A&O IT Group. “The $50 million demand is the highest currently known and whilst shocking only serves to demonstrate the potential that the perpetrators see in this form of attack.”
“Acer should not consider paying this Ransom as doing so would simply keep this as a viable business model,” said Hughes. “It should also be noted that there is no guarantee that an organisation will be able to decrypt data after paying a ransom as ransomware does not go through strict quality control and often contains bugs that may prevent successful recovery.”
“It is more important than ever to conduct regular security assessments and ensure that the latest security patches are tested and deployed as soon as they are available,” added Hughes. “Organisations should also consider the design of their environments to help prevent the spread of an attack should the worst happen.”
The huge amount of ransom being demanded by the gang was also picked up on by Kelvin Murray, senior threat research analyst at Webroot.
“This was no doubt a meticulously planned attack which involved target research, professional hacking and uncrackable encryption,” said Murray. “As with the majority of ransomware attacks nowadays, this attack also involved data theft and the REvil gang has since taunted Acer on a message posted on a data leak website with images of stolen documents.”
“Fifty million dollars is a huge ransom demand, but when the victim is a high-profit business, then the world’s top ransomware gangs can afford to be cocky with their demands too,” he added.
“As ransomware gangs continue to be more inventive with the types of data and businesses they target, this should serve as a lesson to all organisations to keep adequate technical defences in place to ensure cyber resilience – including threat intelligence technologies, up-to-date software and operating systems and proper employee education,” said Murray. “Businesses should also have a good back up strategy, data recovery and roll back plans in place to alleviate the impact of any data loss.”
Another expert noted that Acer was quick to note the compromise of its systems and responded quite quickly.
“In this case, Acer was able to spot the compromise of its systems fairly quickly, but for businesses that aren’t so fast the repercussions can be even more severe,” said Simon Mullis, director of technical account management at Tanium.
“In the aftermath of an attack it is important to immediately start the process of damage control, to mitigate the impact as much as possible,” Mullis added. “Endpoint management tools can help with this by detecting unauthorised access to a company’s systems, as well as locating and managing sensitive data across endpoints to avoid future attacks.”