Acer is believed to have been compromised by the REvil/Sodinokibi ransomware group.
The notorious ransomware group is on a spree, with at least nine victims in two weeks, says Candid Wuest, Acronis vice-president of cyber protection research. The list of victims is international: law firms, a construction company, banks, and a manufacturer. One victim, Union Bank of Nigeria, has an asset base estimated at $4,1-billion.
“While the investigation is ongoing, it remains unknown how the attackers managed to compromise the Acer corporation. The suspicion that the cybercriminals exploited the recent Microsoft Exchange vulnerability is plausible, as the REvil group is known to abuse vulnerabilities – for example, they exploited a Pulse VPN vulnerability last year to compromise Travelex, who ended up paying $2,3-million ransom to the attackers.
“So far Acer did not confirm any details of the attacks, therefore other attack vectors, such as malicious email or weak passwords are not ruled out.,” Wuest says. “Furthermore, research indicates that earlier this month, Gootloader’s recent SEO poisoning campaign was also used to spread REvil ransomware.
“It was likely the classic double extortion attack, whereby sensitive information is stolen and then remaining systems are encrypted to disrupt the organisation.”
According to the attackers’ leak page, it has demanded $50-million in Monero cryptocurrency, which would be the highest publicly-known initial ransom demand so far. The demand doubles to $100-million if not paid by 28 March.
“As always with ransomware attackers, the cybercriminals offer an early payment discount, 20% in this case, and the fact that some preview of stolen data has already been published indicates that Acer does not plan to pay up,” Wuest says. “Nevertheless, it does indicate the huge amount of profit that targeted ransomware groups are making. It is estimated, that the REvil gang made at least $81-million from ransomware payments last year.”
It is believed that the REvil group even threatened to repeat a Solarwinds-like supply-chain attack. Depending on the access that the attackers gained inside the corporation, such a supply-chain attack could have resulted in millions of customer devices getting infected.
“A similar scenario did happen two years ago, when the hardware manufacturer Asus was compromised by the ShadowHammer group and successfully used for a supply chain attack,” says Wuest.