The computer giant Acer was hit by a REvil ransom attack where the threat players demanded the largest known ransom to date, $ 50,000,000.
Acer is a Taiwanese electronics and computer manufacturer known for laptops, desktops and monitors. Acer employs approximately 7,000 people and will earn $ 7.8 billion in 2019.
The ransom gang announced on their data leak website yesterday that they had infringed Acer and shared some images of alleged stolen files as evidence.
These leaked images are for documents that include financial spreadsheets, bank balances, and bank communications.
In response to BleepingComputer’s queries, Acer did not give a clear answer as to whether they had a REvil ransomware attack, but said they had reported ‘recent abnormal situations’ to relevant LEAs and DPAs.
You can read their full answer below:
“Acer regularly monitors its IT systems, and most cyberattacks are well defended. Companies like ours are constantly being attacked and we have reported recent abnormal situations to the relevant law enforcement and data protection authorities in several countries.”
“We have continually improved our cybersecurity infrastructure to protect business continuity and our information integrity. We call on all companies and organizations to comply with cybersecurity disciplines and best practices, and to be vigilant for any abnormal networking activities.” – Acer.
In requests for further details, Acer said “there is an ongoing investigation and for security reasons we are unable to comment on details.”
If you have first-hand information about these or other unreported cyber attacks, you can contact us confidentially on Signal at +16469613731 or on Wire at @ lawrenceabrams-bc.
Highest known ransom claim
Following the publication of our story, Valery Marchive of LegMagIT discovers the REvil ransom monster used in the Acer attack, which claimed a whopping $ 50 million ransom.
Shortly afterwards, BleepingComputer found the sample and can confirm that the sample came from the cyber attack on Acer based on the ransom letter and the victim’s conversation with the attackers.
In the talks between the victim and REvil, which began on March 14, the Acer representative was shocked by the huge demand of $ 50 million.
Later in the conversation, the REvil representative shared a link to the Acer data leak page, which was secret at the time.
The attackers also offered a 20% discount if the payment was made on Wednesday. In return, the ransom gang would provide a decryptor, a vulnerability report and the removal of stolen files.
At one point, the REvil operation offers a cryptic warning to Acer not to repeat the fate of the SolarWind.
REvil’s demand of 50 million is the largest known ransom to date, with the previous one being the ransom of $ 30 million from the Dairy Farm cyber attack, also by REvil.
Possible Microsoft Exchange exploitation
Vitali Kremez told BleepingComputer that Advanced Intel’s Andariel cyber intelligence platform detects that the Revil gang recently targeted a Microsoft Exchange server on Acer’s domain.
“Advanced Intel’s Andariel cyber intelligence system has detected that one specific REvil affiliate is pursuing Microsoft Exchange weapons,” Kremez told BleepingComputer.
The threats behind the DearCry ransomware have already exploited the ProxyLogon vulnerability to exploit their ransomware, but it’s a smaller operation with fewer victims.
If REvil exploits the recent Microsoft Exchange vulnerabilities to steal data or encrypt devices, it’s the first time one of the major poaching ransomware operations has used this attack vector.
Update 19/03/21 14:45: Updated with information from the discovered Acer ransomware sample.