Pictured: an Acer exhibit booth at COMPUTEX Taipei, or the Taipei Global Data Technology Demonstrate. (Quintin Lin, CC BY-SA 2. https://creativecommons.org/licenses/by-sa/2., by way of Wikimedia Commons)
Security scientists responded Monday to news of the REvil ransomware attack on computer and electronics manufacturer Acer late previous week, typically expressing shock above the $50 million rate tag and advising the laptop maker not to pay out.
The incident was very first claimed in BleepingComputer. which explained the REvil cybercriminal gang (also recognized as Sodinokibi) announced that it experienced breached Acer and shared some illustrations or photos of allegedly stolen data files as evidence. The leaked photographs consist of documents that involve economic spreadsheets, lender balances and lender communications.
A reported leak of the ransom take note exposed that Acer has right up until March 28 to pay out the $50 million ransom. If the ransom is not paid by that day, the ransom will seemingly double to $100 million.
Acer nonetheless has not verified that it was the focus on of a ransomware attack, and initiatives to reach the business nowadays had been unsuccessful. The enterprise also did not ensure that REvil experienced executed the ransomware attack by means of a single of its Microsoft Trade servers, as was reportedly alleged by Vitali Kremez, CEO of Innovative Intel. Nevertheless a number of cyber thought leaders commented on this likelihood, and the possible relationship to a sequence of Exchange vulnerabilities that have been exploited by a number of actors.
“The shift by REvil to exploit Trade in opposition to major targets can make sense as these vulnerabilities are so uncomplicated to exploit and offer the original accessibility ransomware affiliates want,” reported Chad Anderson, senior security researcher at DomainTools. “That reported, this ransom desire is particularly enormous and outdoors the necessarily mean for REvil affiliates. As generally, we would persuade Acer to not pay back the ransom, regardless of proof of personal monetary paperwork on the REvil leaks site.”
Oliver Tavakoli, CTO at Vectra, explained it is expected that the not long ago disclosed Microsoft Trade Server vulnerabilities, collectively recognized as ProxyLogon, will continue be leveraged by a number of actors with varying aims around the coming weeks and months.
“Targeted ransomware actors like REvil will see this as a individual boon as the quite a few bespoke actions of an attack (infiltration, reconnaissance, getting access to useful data) can be small-circuited with a direct attack on an organization’s Trade server,” Tavakoli explained. “The size of the ransom request arrives down to risk actors screening the marketplace with a fantastical opening gambit – I would guess that Acer would both pay out no ransom or would negotiate a much diminished quantity.”
Ivan Righi, cyber risk intelligence analyst at Digital Shadows, explained the REvil ransomware group has become known for its significant monetary calls for, with a recent illustration currently being the $30 million ransom it attempted to extort from Dairy Farm in February 2021. Righi stated it’s not regarded if any of REvil’s victims have paid these exorbitant calls for, even though it is not likely.
“The massive demand indicates that REvil very likely exfiltrated data that is hugely private, or info that could be utilized to start cyber attacks on Acer’s clients,” Righi claimed.
Jeff Barker, vice president of solution promoting at Illusive, extra that all of the latest superior-profile attacks, this a person on Acer incorporated, exhibit that each and every corporation wants to adopt an “assume compromise” security posture and ensure they are getting suitable measures to reduce risk that attackers can transfer laterally with out detection. “We advise that corporations assess the ransomware risk for their existing atmosphere and get techniques to get rid of the pointless credential, link, and pathway facts that can make reconnaissance and motion as well simple for the attackers,” Barker mentioned. “At-risk organizations would advantage from planning for and executing a four-move ‘shake the tree’ lateral motion cleanliness and detection workout: evaluate and strengthen credential and pathway cleanliness make certain lateral movement detection system and necessary controls are operating appropriately reset privileged account passwords and watch lateral movement to place attacker propagation in the ecosystem.”
Some elements of this post are sourced from: