A new targeted ransomware REvil has been actively preying on the tech industry – from Acer to Apple are its recent victims. After targeting Taiwan based Acer last month, the US-based Apple has become the latest victim of targeted ransomware REvil.
The threat actor group behind ransomware REvil reportedly have demanded either Apple or its contract manufacturer Quanta Computer pay a $50 million ransom by May 1.
REvil targeted Apple via Quanta’s data breach
This group had first attacked a Taiwan based contract manufacturer Quanta, which is among Apple’s top contract manufacturers and suppliers for its products. Bloomberg reported that this group had attacked Quanta and demanded the company to pay for that stolen date.
Since Quanta Computer refused to pay the ransom, the group went after Quanta’s client Apple. It shared some 21 screenshots including that of Apple’s new iMac, M1 MacBook Air along with the product’s diagrams and schematics in the dark web.
Interestingly, these stolen images have an imprint from the company. “This is the property of Apple and it must be returned.” The imprint does authenticate the stolen data belonged to Apple.
Apple and Quanta threatened
Further, the group behind the targeted ransomware REvil has threatened both Apple and Quanta. With a deadline of May 1, the group has threatened that until Apple or Quanta pay them a $50 million ransom, they will continue to release new data every day.
This same ransomware REvil group had attacked the Taiwanese laptop and computer device brand Acer last month. The group demanded the global brand to pay a $50 million ransom – setting a new record in the ransom demand.
After breaching Acer’s security systems and networks, the cyber gang reportedly posted the company’s financial and bank-related documents and forms.
These attackers reportedly wanted Acer to pay a $50 million ransom in Monero cryptocurrency. Following the ransom demand with a March 28 deadline for payment, Acer’s negotiators allegedly offered $10 million, but the attackers turned down, reported ComputerWeekly.
Acer has not denied or confirmed this cyber incident, but it issued a statement. “Companies like it are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries,” Acer stated.
“Acer discovered abnormalities from March and immediately initiated security and precautionary measures. Acer’s internal security mechanisms proactively detected the abnormality, and immediately initiated security and precautionary measures,” the company said in the statement last month.
The cyberattack on Acer, according to some cybersecurity experts have exploited the Microsoft Exchange Server vulnerability. Probably, this is the first incident of a ransomware group exploiting a publicly known server vulnerability.
Tech Companies on REvil’s target
Apart from Apple, the Taiwan based Quanta has many customers from the tech industry globally that includes HP, Dell, Microsoft, Toshiba, LG, Lenovo and others. Following the recent attacks on Acer and Apple, there’s a high possibility that the targeted ransomware REvil group could target Quanta’s other tech customers.
In fact, the REvil group in a post on the dark web shared that it is having possession of data from other companies. “Our team is negotiating the sale of large quantities of confidential drawings and gigabytes of personal data with several major brands,” the cyber gang posted.
Rise of REvil
The REvil group although first appeared in April 2019. Within few years, the group has gained popularity in the cyber world for sophisticated cyberattack tactics and extorting big sum money from victims. The group is also known as “Sodin” and “Sodinokibi” operates in Ransom-as-a-Service (RaaS) business.
“The REvil (also known as Sodin or Sodinokibi) ransomware has been known since 2019 and it can both encrypt data and steal it. It is distributed on specialized forums by subscription,” said Denis Legezo, Senior Security Researcher, Kaspersky’s Global Research and Analysis Team.
“Thus, two groups of attackers are involved in the attack: the first finds a breach in the protection of the organisation and injects REvil there and the second creates the malware. After encryption or data theft, a ransom is demanded from the victim. And if successful, it is divided between these groups,” explained Legezo.
In terms of its sophisticated tactics, the group uses a number of vectors including malicious spam, exploits, RDP attacks and vulnerabilities such as Maze. “The group not only holds data hostage but the victims are threatened of publicly releasing swiped data, if a ransom is unpaid,” revealed Malwarebytes’ 2021 State of Malware report.
“With a successful affiliate model that allegedly earned them $100 million in a year, REvil is poised to make headlines in 2021,” the report mentioned.
Besides the attacks on tech industry giants including Acer and Apple, this threat actor group last year targeted money transfer service Travelex, Honda, Jack Daniels maker Brown-Forman and law firm Grubman Shire Meiselas & Sacks.
Targeted Ransomware Landscape in Asia
Kaspersky’s latest report on the ransomware landscape revealed that between 2019 and 2020, its users encountering targeted ransomware increased by 767%. This rise in targeted ransomware occurred alongside a 29% decrease in the overall number of users affected by any kind of ransomware, with WannaCry still the most frequently encountered family.
According to Kaspersky (APAC) MD Chris Connell, targeted ransomware attacks have become a major concern globally in the past few years, especially for organisations and businesses in the APAC region.
“Targeted ransomware group breached at least 61 entities from the region in 2020. Australia and India being the top 2 countries that logged the highest number of incidents across APAC,” said Connell.
“Victim organisations of targeted ransomware fear that even after paying the ransom, there’s no guarantee that they will get their data back. Or the nefarious cybercriminals would misuse the data by leaking it publicly or even selling it on the dark web,” added Connell.
Organisations breached and losing sensitive data to cybercriminals can also damage the reputation of the organisation amongst its stakeholders and consumers. “It is cardinal for businesses and institutions to be prepared to fight against these attacks and be transparent with their stakeholders in case of an incident,” concluded Connell.