The computer giant Acer has fallen victim to a REvil ransomware attack, with the cybercriminals demanding an unprecedented ransom of $50 million (approximately 325 million yuan).
Acer, a leading electronics and computer manufacturer based in Taiwan, China, produces a wide range of products, including notebook computers, desktops, and monitors. The company employs around 7,000 people and reported revenues of $7.8 billion in 2019. Yesterday, the REvil ransomware group announced on their data breach site that they had successfully infiltrated Acer's systems. To substantiate their claim, the group released several screenshots of stolen files, including financial spreadsheets, bank balances, and transaction information.
While Acer has not directly confirmed the ransomware attack by REvil, they acknowledged reporting recent anomalies to local law enforcement and data protection agencies. In their official statement, Acer emphasized their ongoing efforts to monitor and protect their IT infrastructure:
"Acer regularly monitors its internal IT systems, and most cyber attacks are effectively blocked. Companies like Acer are often attacked. We have also reported recently discovered anomalies to local law enforcement agencies and data protection agencies in many countries."
"We have been constantly improving the network security infrastructure, working hard to protect business continuity and information integrity. We urge all enterprises and organizations to comply with network security regulations and information integrity requirements, and be alert to various abnormal network activities that may occur."
"The investigation is still ongoing. For security reasons, we are unable to comment on the details."
Record-Breaking Ransom Demand
Following the breach announcement, Valery Marchive of LegMagIT discovered the specific REvil ransomware sample used in the Acer attack. The ransom note demanded $50 million, a record amount. In conversations beginning on March 14, Acer representatives expressed shock at the hefty demand. During negotiations, the REvil group provided a link to the Acer data breach page, which had not been made public at the time. The attackers offered a 20% discount if Acer paid before the following Wednesday, promising decryptors, vulnerability reports, and deletion of stolen files upon payment. The REvil group also warned Acer, saying, "Don't repeat the mistakes of SolarWInd."
Potential Exploitation of Microsoft Exchange Vulnerabilities
Vitali Kremez of Advanced Intel revealed that their intelligence platform detected the REvil group targeting Microsoft's Exchange server within Acer's domain. Kremez stated, "Advanced Intel's intelligence system has detected that a group under REvil is planning to use Microsoft Exchange vulnerability to launch an attack." This method, previously used by the DearCry ransomware group via the ProxyLogon vulnerability, involves stealing data or encrypting devices. If confirmed, this attack on Acer would mark the first significant use of Microsoft Exchange vulnerabilities in a large-scale ransomware operation.
As the investigation continues, Acer and other organizations remain vigilant, working to strengthen their cybersecurity defenses against such sophisticated threats.