Following the news Taiwanese computer manufacturer Acer has been hit by a cyberattack, with much speculation surrounding the breach – wherein attackers demanded the largest known ransom to date – Candid Wüest, VP Cyber Protection Research at cyber protection firm Acronis, offers his opinion on how this could have occurred.
Acer, the Taiwanese electronics company, has allegedly been compromised by the REvil/Sodinokibi ransomware group.
This notorious ransomware group is on a spree, with at least nine victims in two weeks. The list of victims is international: law firms, a construction company, banks, and a manufacturer. One victim, Union Bank of Nigeria, has an asset base estimated at US $4.1 billion.
While the investigation is ongoing, it remains unknown how the attackers managed to compromise the Acer corporation.
The suspicion that the cybercriminals exploited the recent Microsoft Exchange vulnerability is plausible, as the REvil group is known to abuse vulnerabilities – for example, they exploited a Pulse VPN vulnerability last year to compromise Travelex, who ended up paying US$ 2.3 million ransom to the attackers.
Acer has not confirmed any details of the attack, therefore other attack vectors, such as malicious emails or weak passwords are not ruled out.
Furthermore, research indicates that earlier this month, Gootloader’s recent SEO poisoning campaign was also used to spread REvil ransomware.
It was most likely the classic double extortion attack, where sensitive information is stolen and then remaining systems are encrypted to disrupt the organisation.
According to the attackers’ leak page, they demand US$50 million in Monero crypto currency, which would be the highest publicly known initial ransom demand so far. The demand doubles to US$100 million if not paid by their deadline.
As always with ransomware attackers, the cybercriminals offer an early payment discount, 20% in this case, and the fact that some preview of stolen data has already been published indicates that Acer does not plan to pay up.
Nevertheless, it does indicate the huge amount of profit that targeted ransomware groups are making. It is estimated that the REvil gang made at least US$ 81 million from ransomware payments last year.
Apparently, the REvil group even threatened to repeat a SolarWinds-like supply-chain attack. Depending on the access that the attackers gained inside the corporation, such a supply-chain attack could have resulted in millions of customer devices being infected.
A very similar scenario happened two years ago, when the hardware manufacturer ASUS was compromised by the ShadowHammer group and successfully used for a supply chain attack.