The computer giant Acer was hit by a ransomware attack REvil, in which the threat actors are demanding the biggest ransom known so far, $ 50 million.
Acer is a Taiwanese manufacturer of electronics and computers, known for laptops, desktops and monitors. Acer employs approximately 7,000 employees and earned $ 7.8 billion in 2019.
Yesterday, the ransomware gang announced on its data breach website that it had breached Acer and shared some images of allegedly stolen files as evidence.
These leaked images are for documents that include financial spreadsheets, bank balances and bank communications.
In response to BleepingComputer’s questions, Acer did not give a clear answer as to whether they suffered a REvil ransomware attack, saying they “reported recent abnormal situations” to relevant LEAs and DPAs.
You can read the full answer below:
“Acer routinely monitors its IT systems, and most cyber attacks are well defended. Companies like us are constantly under attack and we report recent abnormal situations observed to relevant law enforcement and data protection authorities in several countries.”
“We have continuously improved our cybersecurity infrastructure to protect business continuity and the integrity of our information. We urge all companies and organizations to adhere to cybersecurity disciplines and best practices and to be on the lookout for any abnormalities in network activity.” – Acer.
In requests for more details, Acer said that “there is an investigation underway and for security reasons, we are unable to comment on the details.”
If you have first-hand information about this or other unreported cyber attacks, you can contact us confidentially at Signal at +16469613731 or Wire at @ lawrenceabrams-bc.
Highest known rescue demand
After publishing our story, ValMagIT’s Valery Marchive discovered the sample of REvil ransomware used in the Acer attack that demanded a colossal $ 50 million ransom.
Soon after, BleepingComputer found the sample and can confirm that, based on the ransom note and the victim’s conversation with the attackers, the sample is from the cyber attack on Acer.
In conversations between the victim and REvil, which began on March 14, the Acer representative was shocked by the huge demand for $ 50 million.
Later in the chat, the REvil representative shared a link to Acer’s data leak page, which was secret at the time.
Attackers also offered a 20% discount if payment was made by last Wednesday. In return, the ransomware gang would provide a decryptor, a vulnerability report and the deletion of stolen files.
At one point, the REvil operation offered Acer a cryptic warning “not to repeat the fate of SolarWind”.
The 50 million REvil demand is the biggest rescue known to date, with the former being the $ 30 million rescue from Dairy Farm’s cyber attack, also from REvil.
Possible exploitation of Microsoft Exchange
Vitali Kremez told BleepingComputer that Advanced Intel’s Andariel cyber intelligence platform detected that the Revil gang recently targeted a Microsoft Exchange server in the Acer domain.
“Advanced Intel’s Andariel cyber intelligence system detected that a particular REvil affiliate was looking for Microsoft Exchange weaponry,” Kremez told BleepingComputer.
The threat actors behind the DearCry ransomware have already used the ProxyLogon vulnerability to deploy their ransomware, but they are a minor operation with fewer victims.
If REvil exploited the recent Microsoft Exchange vulnerabilities to steal data or encrypt devices, it would be the first time that one of the major game hunting ransomware operations would use this attack vector.
Update 19/03/21 14h45: Updated with information from the Acer ransomware discovery sample.