Pictured: an Acer exhibit booth at COMPUTEX Taipei, or the Taipei Intercontinental Info Technology Display. (Quintin Lin, CC BY-SA 2. https://creativecommons.org/licenses/by-sa/2., through Wikimedia Commons)
Security scientists responded Monday to news of the REvil ransomware attack on personal computer and electronics producer Acer late past 7 days, mainly expressing shock above the $50 million selling price tag and advising the computer system maker not to shell out.
The incident was initial claimed in BleepingComputer. which claimed the REvil cybercriminal gang (also regarded as Sodinokibi) declared that it had breached Acer and shared some images of allegedly stolen documents as proof. The leaked visuals consist of documents that incorporate economic spreadsheets, bank balances and lender communications.
A documented leak of the ransom note revealed that Acer has until finally March 28 to pay back the $50 million ransom. If the ransom is not compensated by that day, the ransom will apparently double to $100 million.
Acer nonetheless has not verified that it was the concentrate on of a ransomware attack, and efforts to reach the enterprise right now ended up unsuccessful. The business also did not confirm that REvil had executed the ransomware attack through a person of its Microsoft Trade servers, as was reportedly alleged by Vitali Kremez, CEO of Innovative Intel. Nevertheless several cyber assumed leaders commented on this probability, and the possible relationship to a series of Trade vulnerabilities that have been exploited by many actors.
“The move by REvil to exploit Exchange from massive targets tends to make feeling as these vulnerabilities are so easy to exploit and supply the preliminary access ransomware affiliates need to have,” claimed Chad Anderson, senior security researcher at DomainTools. “That mentioned, this ransom desire is specifically enormous and outdoors the indicate for REvil affiliate marketers. As often, we would persuade Acer to not pay out the ransom, inspite of evidence of private economical documents on the REvil leaks web-site.”
Oliver Tavakoli, CTO at Vectra, reported it’s predicted that the not too long ago disclosed Microsoft Trade Server vulnerabilities, collectively regarded as ProxyLogon, will carry on be leveraged by a range of actors with different objectives above the coming months and months.
“Targeted ransomware actors like REvil will see this as a unique boon as the lots of bespoke steps of an attack (infiltration, reconnaissance, getting entry to valuable information) can be quick-circuited with a direct attack on an organization’s Trade server,” Tavakoli mentioned. “The sizing of the ransom ask for comes down to danger actors testing the marketplace with a fantastical opening gambit – I would guess that Acer would possibly fork out no ransom or would negotiate a significantly diminished volume.”
Ivan Righi, cyber threat intelligence analyst at Electronic Shadows, stated the REvil ransomware group has turn into recognised for its large monetary calls for, with a the latest illustration currently being the $30 million ransom it experimented with to extort from Dairy Farm in February 2021. Righi explained it’s not identified if any of REvil’s victims have paid out these exorbitant requires, even though it is unlikely.
“The huge desire suggests that REvil possible exfiltrated information that is remarkably confidential, or information and facts that could be used to start cyber attacks on Acer’s clients,” Righi said.
Jeff Barker, vice president of merchandise internet marketing at Illusive, added that all of the the latest large-profile attacks, this a single on Acer bundled, exhibit that each and every group requirements to adopt an “assume compromise” security posture and guarantee they are having adequate steps to minimize risk that attackers can shift laterally with out detection. “We advocate that companies assess the ransomware risk for their latest setting and consider actions to do away with the avoidable credential, relationship, and pathway facts that helps make reconnaissance and movement much too simple for the attackers,” Barker explained. “At-risk organizations would gain from making ready for and executing a 4-action ‘shake the tree’ lateral motion hygiene and detection work out: evaluate and make improvements to credential and pathway cleanliness be certain lateral movement detection system and essential controls are working properly reset privileged account passwords and keep an eye on lateral motion to place attacker propagation in the environment.”
Some areas of this write-up are sourced from: