REvil Ransomware Hits Acer, Demands Potential $100 Million Ransom

Laptop giant Acer has been hit by a REvil ransomware attack and could face a staggering $100 million ransom if it hasn’t coughed up half of it by March 28.

The REvil ransomware attack was first reported by Bleeping Computer. On March 18, the threat actors announced on their data leak site that they had breached Acer. They shared some images of allegedly stolen files as proof.

The data allegedly exposed included client lists, payment form applications and financial documents. Acer hasn’t acknowledged the ransomware attack.

REvil Known for High Demands

Ivan Righi is cyber threat intelligence analyst at Digital Shadows. He said the malicious hackers are demanding Acer pay $50 million by March 28. If not, the ransom would double.

Digital Shadows’ Ivan Righi

“The REvil ransomware group is known for its high ransom demands, with a recent example being its $30 million ransom demanded from Dairy Farm in February,” he said. “It is not known if any of REvil’s victims have paid these exorbitant ransom demands, although it is unlikely.”

REvil likely exfiltrated information that is highly confidential, or that could be used to launch cyberattacks on Acer’s customers, Righi said.

REvil allegedly targeted Microsoft Exchange server vulnerabilities in attacks against Acer, he said.

Jeff Costlow is ExtraHop‘s CISO. He said there’s still a lot of uncertainty about the extent of the attack on Acer.

ExtraHop’s Jeff Costlow

“Not only did the REvil operation lock down files, they also clearly exfiltrated some portion of that data,” he said. “Exfiltration before encryption is becoming increasingly popular because it gives victims two reasons to pony up the ransom. They need to both regain access to their files and attempt to prevent leaks of their data.”

The Next SolarWinds?

The most disturbing part of this attack is that Acer could be the next SolarWinds, Costlow said.

“Encrypting files and exfiltrating data, even their source code, wouldn’t allow them to perpetrate a SolarWinds-style supply-chain attack,” he said. “For that, they would need to have compromised Acer’s build or update systems.”

The attackers are probably just trying to scare Acer into paying up, Costlow said. That said, the prospect of a multivector attack that involves encryption, exfiltration and exploitation is “terrifying.”

“It’s a cyberattack hat trick,” he said.

Oliver Tavakoli is Vectra‘s CTO. He said the size of the ransom request comes down to threat actors testing the market with a “fantastical opening gambit.”

“I would guess that Acer would either pay no ransom or would negotiate a much reduced amount,” he said.

NetEnrich’s Brandon Hoffman

Brandon Hoffman is Netenrich‘s CISO. He said cybercriminals have been investing their time in supply-chain and developers tool attacks. That reduced the focus on ransomware attacks since they are now playing the “long game.”

“This presents an opportunity in itself because attackers who saw the payoff from these supply-chain attacks left a gap where ransomware operators have more available attack surface. meaning ransomware will become a bull market again,” he said.