PC and Device Maker Appears to Have Been Targeted by REvil
Acer, one of the world’s largest PC and device makers, has reportedly been targeted by the ransomware gang REvil, aka Sobinokibi, according to multiple published reports.
On Thursday, the REvil gang posted what it claims is Acer company data to its darknet “news” site and is reportedly demanding $50 million from the Taiwanese firm, according to Bleeping Computer, which first reported the attack and has since published a copy of the ransom note.
Acer has not formally confirmed it has been attacked or if data posted to the REvil darknet site is legitimate. A company official told Bleeping Computer “there is an ongoing investigation and for the sake of security, we are unable to comment on details.”
A source provided Information Security Media Group with several screenshots from the REvil darknet site that reportedly shows customer data, payment application forms and other information that the gang claims it stole from Acer during an attack.
An Acer spokesperson could not be immediately reached for comment, but the company published a statement: “Acer routinely monitors its IT systems, and most cyberattacks are well defensed. Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.”
Acer is one of the world’s largest manufactures of PCs, smartphones, devices and other hardware, such as desktop monitors. In the fourth quarter of 2020, it ranked fifth in worldwide PC shipments, with more than 6.5 million desktops and laptops shipped during the quarter, according to a January analysis published by IDC.
REvil is one of several cybercriminal gangs that practice what analysts call a double extortion method that targets victims. Not only does the group use crypto-locking malware to encrypt data and files at a victimized organization, but the cybercrooks will then steal and threaten to publish that information if demands are not met. This puts additional pressure on victims to pay.
Besides its extortion methods, REvil is known to demand multimillion-dollar payments from victims to return data and decrypt files. For instance, Travelex, a London-based foreign currency exchange that does business in 26 countries, including the U.S., paid the ransomware gang $2.3 million in 2020 to regain access to its data following an attack (see: Travelex Paid $2.3 Million to Ransomware Gang: Report).
And while REvil has demanded and received million-dollar payments, the reported $50 million extortion attempt against Acer is highly unusual and is likely designed to get the company to at least pay a portion of that, says Brett Callow, a security threat analyst at security firm Emsisoft.
“When groups make enormous demands like this, I’m not sure they actually expect to be paid – at least not their full ask,” Callow says. “To my mind, it’s far more likely that the demand is intended to encourage companies to up their policy limits and make them feel lucky – and so more likely to pay – when they get hit with a ‘modest’ demand of $10 million.”
Whether it’s REvil or other ransomware gangs, profits from these types of cybercrimes continue to rise, according to security researchers.
Earlier this month, Blockchain analysis firm Chainalysis published a report that found about $370 million in known 2020 ransomware profits in 2020 – via ransoms that got paid. This is a staggering 336% increase over known 2019 earnings (see: Mark of Ransomware’s Success: $370 Million in 2020 Profits).
One possible reason for this uptick in ransomware profits is that gangs are targeting critical infrastructure, such as government entities and healthcare organizations, which have been overwhelmed by the COVID-19 pandemic, according to an analysis by Trend Micro.
During this time, REvil, or Sodinokibi, has been one of the most prolific ransomware gangs operating. IBM Security X-Force found that about 22% of all ransomware incidents it investigated in 2020 involved REvil, and the gang reportedly bragged on a Russian underground forum that it had earned $12 million in 12 months.
REvil is also known to target vulnerable remote connections to gain a foothold in networks as part of its attacks. For example, when the gang targeted the celebrity New York law firm of Grubman Shire Meiselas and Sacks, the cybercriminals appeared to take advantage of a flaw in a Pulse Secure VPN server to gain a foothold (see: Hacked Law Firm May Have Had Unpatched Pulse Secure VPN).