March 22, 2021

Ransomware gang to Acer: Give us $50m or you’ll never see your data again

By Robert Scammell

Malicious hacking gang REvil has compromised Acer with ransomware, demanding a $50m payment to decrypt the computer giant’s files. The compromised documents include financial spreadsheets, bank balances and banking communications.

The cybercriminals may have capitalised on the recent Microsoft Exchange Server exploits to gain access to the Taiwanese electronics maker, according to Bleeping Computer, which first reported the news on Friday.

The $50m ransom demand is the largest publicly known request to date. Acer has not officially confirmed the attack but told Bleeping Computer it “reported recent abnormal situations” to the relevant authorities.

REvil, a ransomware group believed to operate out of Russia, published images of stolen files on Thursday as proof of its attack.

It reportedly offered Acer a 20% discount on the ransom fee if it paid up by 17 March – a tactic commonly employed by ransomware gangs.

In 2020 Acer reported gross annual profits of TN$30.12bn ($1.6bn). Ransomware gangs are known to tailor their demands based on the size of a company to maximise the chance of payout, as well as increase the size of profit.

It is unclear whether Acer has or intends to pay the ransom fee. Verdict has contacted Acer for comment but did not receive a reply at the time of publication.

The Acer ransomware attack reportedly began on 14 March this year.

In a statement to ZDNet, an Acer spokesperson said: “Acer routinely monitors its IT systems, and most cyberattacks are well defended. Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.

“Acer discovered abnormalities from March and immediately initiated security and precautionary measures. Acer’s internal security mechanisms proactively detected the abnormality, and immediately initiated security and precautionary measures.”

It is uncertain whether or not the digital assault leveraged the Microsoft Exchange Server vulnerabilities uncovered earlier in March. However, some evidence point in that direction. Revil targeted an Acer Microsoft Exchange Server in earlier this month, according to telemetry data from threat prevention firm Advanced Intel.

The recently revealed zero-day exploits give cybercriminals access to Microsoft’s mail and calendar product running on on-premises servers. While Microsoft released security fixes for the four vulnerabilities on 2 March, various cybercriminal groups have successfully installed web shells on tens of thousands of servers around the world.

These web shells allow cybercriminals to install malicious software such as ransomware. Microsoft recently warned that it had detected DoejoCrypt ransomware being spread on Exchange hack victims’ systems.

If it proves to be the entry method in the Acer hack it would make it the highest profile ransomware attack stemming from the Exchange zero-days to date.

It would also confirm the fears of cybersecurity experts, who have previously warned that opportunistic cybercrime gangs would exploit as many organisations as possible before they patched their Exchange Servers, with the intention of picking specific targets to attack at a later date.

Last year REvil, also known as Sodinokibi, targeted foreign currency exchange service Travelex with ransomware, forcing its employees to work with pen and paper for more than a month. It later emerged that Travelex paid a $2.3m ransom demand to REvil. The company entered into administration in August 2020, citing Covid-19 travel disruption and the ransomware attack.

Cybersecurity experts generally advise against paying ransom demands.

“Acer should not consider paying this ransom as doing so would simply keep this as a viable business model,” said Richard Hughes, head of technical cybersecurity at A&O IT Group. “It should also be noted that there is no guarantee that an organisation will be able to decrypt data after paying a ransom as ransomware does not go through strict quality control and often contains bugs that may prevent successful recovery.”

He added: “It is more important than ever to conduct regular security assessments and ensure that the latest security patches are tested and deployed as soon as they are available.”

Read more: Cybercriminals race to take over Exchange Servers in bulk for later plundering