Targeted Ransomware REvil Preys On Tech Giants From Acer To Apple

The threat actor group behind the ransomware have reportedly demanded either Apple or its contract manufacturer Quanta Computer pay a $50 million ransom by May 1st.

REvil target Apple via Quanta’s data breach

This group first attacked a Taiwan based contract manufacturer Quanta, which is among Apple’s top contract manufacturers and suppliers for its products.

Bloomberg reported that this group had attacked Quanta and demanded the company pay for stolen data.

Since Quanta Computer refused to pay the ransom, the group went after Quanta’s client Apple.

It shared some 21 screenshots including that of Apple’s new iMac, and M1 MacBook Air along with the product’s diagrams and schematics on the dark web.

Interestingly, these stolen images have an imprint from the company. “This is the property of Apple and it must be returned.”

The imprint does authenticate the stolen data as having belonged to Apple.

Apple and Quanta threatened

Furthermore, the group behind the targeted ransomware REvil has threatened both Apple and Quanta.

With a deadline of May 1, the group has threatened that until Apple or Quanta pay the $50 million ransom, they will continue to release new data every day.

This same ransomware group attacked the Taiwanese laptop and computer device brand Acer last month.

The group demanded the global brand pay another $50 million ransom – setting a new record in terms of ransom demands.

After breaching Acer’s security systems and networks, the cyber gang then posted the company’s financial and bank-related documents and forms online.

These attackers are said to want Acer to pay a $50 million ransom in Monero cryptocurrency.

Following the ransom demand which had a March 28 deadline for payment, Acer’s negotiators allegedly offered $10 million, but the attackers refused this amount according to Computer Weekly.

Acer has not denied or confirmed this cyber incident, but it issued a statement saying “Companies (…) are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries” continuing “Acer discovered abnormalities from March and immediately initiated security and precautionary measures. Acer’s internal security mechanisms proactively detected the abnormality, and immediately initiated security and precautionary measures.”

The cyberattack on Acer, according to some cybersecurity experts has exploited the Microsoft Exchange Server vulnerability in what is probably the first incident of a ransomware group exploiting a publicly known server vulnerability.

Tech Companies on REvil’s target

Apart from Apple, the Taiwan based Quanta has many customers from the tech industry around the world that include HP, Dell, Microsoft, Toshiba, LG, Lenovo and others.

Following the recent attacks on Acer and Apple, there is now an increased possibility that the targeted ransomware REvil group could target Quanta’s other tech customers.

In fact, the REvil group in a post on the dark web has said that it is in possession of data from other companies; “Our team is negotiating the sale of large quantities of confidential drawings and gigabytes of personal data with several major brands,” the cyber gang posted.

Rise of REvil

The REvil group first appeared in April 2019. Within a few years, the group has gained ‘notoriety‘ in the cyber world for sophisticated cyberattack tactics and extorting big sums of money from victims.

The group is also known as “Sodin” and “Sodinokibi” and operates in Ransom-as-a-Service (RaaS) business.

“The REvil ransomware (group) has been known (of) since 2019, and it can both encrypt data and steal it. It is distributed on specialized forums by subscription,” said Denis Legezo, Senior Security Researcher, Kaspersky’s Global Research and Analysis Team.

“Thus, two groups of attackers are involved in the attack: the first finds a breach in the protection of the organisation and injects REvil there, and the second creates the malware. After encryption or data theft, a ransom is demanded from the victim. And if successful, it is divided between these groups,” explained Legezo.

In terms of its tactics, the group uses a number of vectors including malicious spam, exploits, RDP attacks and vulnerabilities such as Maze.

“The group not only holds data hostage, but the victims are threatened with publicly releasing swiped data, if a ransom is unpaid,” revealed Malwarebytes’ 2021 State of Malware report.

“With a successful affiliate model that allegedly earned them $100 million in a year, REvil is poised to make headlines in 2021,” the report mentioned.

Besides the attacks on tech industry giants including Acer and Apple, this threat actor group last year targeted money transfer service Travelex, Honda, Jack Daniels maker Brown-Forman and law firm Grubman Shire Meiselas & Sacks.

Targeted Ransomware Landscape in Asia

Kaspersky’s latest report on the ransomware landscape revealed that between 2019, and 2020, its users encountering targeted ransomware increased by 767%.

This rise in targeted ransomware occurred alongside a 29% decrease in the overall number of users affected by any kind of ransomware, with WannaCry still the most frequently encountered family.

According to Kaspersky (APAC) MD Chris Connell, targeted ransomware attacks have become a major concern globally in the past few years, especially for organisations and businesses in the APAC region.

“Targeted ransomware group breached at least 61 entities from the region in 2020.

Australia and India were the top 2 countries that logged the highest number of incidents across APAC,” said Connell.

“Victim organisations of targeted ransomware fear that even after paying the ransom, there’s no guarantee that they will get their data back. Or the nefarious cybercriminals would misuse the data by leaking it publicly or even selling it on the dark web,” added Connell.

Organisations being breached and losing sensitive data to cybercriminals can also damage the reputation of the organisation amongst its stakeholders and consumers.

“It is cardinal for businesses and institutions to be prepared to fight against these attacks and be transparent with their stakeholders in case of an incident,” concluded Connell.