Acer was attacked: hackers demanded a ransom of 325 million yuan
https://mp.weixin.qq.com/s/eBUtRUJDcxxlENg-eKnzbA
Computer giant Acer was recently attacked by REvil ransomware. Threats demanded the largest ransom so far: 50 million U.S. dollars (about 325 million yuan).
Acer is a manufacturer of electronic products and computers, well-known for producing laptops, desktops and monitors. Acer has approximately 7,000 employees and revenues of $7.8 billion in 2019.
Yesterday, the ransomware group announced on its data breach website that they had successfully broken into Acer's system and posted several pictures of allegedly stolen files to prove the truth.
As can be seen from these leaked pictures, these files include financial spreadsheets, bank balances and bank correspondence.
Acer data leaked on the REvil ransomware website
In response to an inquiries from the IT security foreign media BleepingComputer, Acer did not give a clear answer as to whether it was attacked by REvil ransomware, only that they had reported to the relevant local law enforcement agency (LEA) and data protection agency (DPA). The recent abnormal situation”.
Acer’s complete response is as follows:
"Acer regularly monitors its IT systems and can effectively defend against most cyber attacks. Companies like us are often attacked. We have reported recently discovered anomalies to relevant law enforcement agencies and data protection agencies in multiple countries.
"We have been continuously improving our cyber security infrastructure to protect business continuity and information integrity. We urge all companies and organizations to abide by cyber security disciplines and best practices, and be alert to any abnormal network activity."
Acer said: "An investigation is ongoing; for the sake of safety, we are unable to comment on the details."
After BleepingComputer published the article, Valery Marchive of the LegMagIT website discovered the REvil ransomware sample used in the Acer attack. The ransomware group demanded a ransom of up to 50 million US dollars.
It didn't take long before BleepingComputer found the sample. Judging from the extortion letter and the content of the conversation between the victim and the attacker, it can be confirmed that the sample is indeed from a cyber attack against Acer.
Ransom demand from Acer on Tor payment website
The conversation between the victim and REvil that began on March 14 showed that Acer's representatives were shocked by the huge ransom of 50 million US dollars.
A REvil representative later attached a link to the Acer data breach page in the chat, which was confidential at the time.
If the ransom is paid before this Wednesday, the attackers also said they can get a 20% discount. After receiving the ransom, the ransomware group will provide decryption tools, vulnerability reports, and deleted stolen files.
The REvil group once issued a vague warning to Acer: "Don't repeat the mistakes of SolarWind."
The US$50 million demanded by REvil is the largest known ransom so far. The largest amount previously was the US$30 million ransom paid by the large retail chain operator Dairy Farm after the cyber attack, which also came from REvil.
Possibly exploited a vulnerability in Microsoft Exchange
Vitali Kremez told BleepingComputer that the Andariel network intelligence platform of the threat intelligence company Advanced Intel discovered that the Revil group had recently attacked a Microsoft Exchange server on Acer's domain name system.
Kremez told BleepingComputer: "Advanced Intel's Andariel network intelligence system discovered that a certain affiliate under REvil used the Microsoft Exchange vulnerability as a weapon."
Andariel's intelligence information shows that Acer Exchange Server was attacked
The threat actors behind the DearCry ransomware have used the ProxyLogon vulnerability to deploy their ransomware, but they are relatively small-scale activities with fewer victims.
If REvil does use the recent Microsoft Exchange vulnerabilities to steal data or encrypt devices, this will be the first time this attack has been used in one of the ransomware attacks targeting only large targets.
Reference material: https://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/