Ransomware Gang REvil Attacks PC Giant Acer and Demands $50 Million

Lee Mercado, Tech Times 19 March 2021, 11:03 pm

Acer, Taiwan's very own PC giant, has been hit by a ransomware attack, says notorious ransomware group REvil.

On Mar. 18, REvil's dark web leak site, "Happy Blog," published an alleged leak, claiming they had breached the Taiwanese electronics and computer maker.

The group shared some images of allegedly stolen files as proof and demanded $50 million to not leak Acer's data on the dark web and decrypt the company's computers.

According to BleepingComputer's report, the files leaked include financial spreadsheets, bank balances, and bank communications.

Also Read: IT Experts Warn About The 'Cybercrime Pandemic' as Ransomware Attacks Skyrocket to 148% Worldwide

Acer's Response

Acer did not confirm if a REvil ransomware had indeed attacked them but rather said that they "reported recent abnormal situations" to relevant LEAs and DPAs.

Instead, the Taiwanese company assured that they constantly monitor their IT systems and established defense against most cyberattacks.

They continued that such attacks constantly target companies like them and that they had recently observed abnormal situations.

In addition, the company has already reported the issue to the relevant law enforcement and data protection authorities in multiple countries.

When BleepingComputer asked for further details, Acer replied, "there is an ongoing investigation and for the sake of security, we are unable to comment on details."

The attack had not disrupted the company's production systems as well, as it only hit the company's back-office network.

According to The Record's report, Acer's name appeared on REvil ransomware group's list of companies that do not pay extortion fees.

With the help of malware intelligence analyst Marcelo Rivero, The Record managed to track down the gang's other dark web portal.

The portal clearly displayed the $50 million ransom the gang demands from Acer and the online chat the gang was using to talk to the company's representatives.

Who is REvil?

CRN names REvil "as one of the most infamous ransomware operators," who allegedly unleashed a devastating ransomware attack on 22 Texas towns and counties in 2019.

A Computer Weekly report also hailed REvil as "one of the most active and dangerous ransomware threats in the wild."

On Mar. 5, CRN reported that the gang claimed to have attacked Standley Systems - an IT infrastructure and managed services firm - and took sensitive data, including more than 1,000 social security numbers.

REvil, also known as Sodinokibi, was first discovered in 2019 by Cisco Talos.

McAfee's Advanced Threat Research (ATR) team shared insights into the affiliates' methods using REvil, including distributing the ransomware through spear-phishing and weaponized documents.

These documents - batch files that download payloads from Pastebin to processes on the target OS - compromises remote desktop protocols (RDPs) and uses script files and password cracking tools to distribute them over the target network.

The ATR team observed several groups compromising and monitoring RDP honeypots they ran between June and September 2019.

These honeypots drew in actors from IP addresses worldwide, but the ruse will not execute if it detected both the Persian (Farsi) and Romanian languages installed on a victim's machine.

McAfee observed that REvil usually demands ransoms between 0.44 and 0.45 bitcoin, which is approximately $4,000.