• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Alleged Acer REvil Ransomware Infection Breaks Record with $50+ Million Demand

March 23, 2021 By Ryan Estes

The REvil ransomware group has come to prominence recently by infecting networks around the world with ransomware and demanding large sums of money from their victims. The group commonly posts proof of their successful ransomware efforts on their blog, called Happy Blog, where one of their most recent victims, Acer, has appeared on the list. Acer has yet to confirm the ransomware attack, but the evidence seems to suggest the claim to be true.

Investigative work by LeMagIT and SearchSecurity discovered that the REvil group is demanding a record-breaking $50 million demand from Acer, paid in Monero (XMR). The previous known record was $30 million in 2020. However, on March 28th the demand could double to $100 million in a tactic known as double-extortion which is becoming increasingly more common with ransomware campaigns.

The group also posted proof of their intrusion on their blog with internal documentation from Acer showing financial information, customer accounts, and other spreadsheets displaying sensitive information. We have visited this Tor protected site ourselves, and can confirm many pictures of seemingly confidential samples. Other’s have even found the specific chat mechanism on this site the threat actors use to talk with victims, who often try to negotiate price. The landing page for this blog post can be seen in the image below.

Happy Blog’s proof of Acer compromise with sample files

Further research into this incident has uncovered a possible attack vector that was used to deploy this ransomware into their network. Vitali Kremez, CEO of Advanced Intel, reported a bad actor had targeted Acer’s Exchange Servers prior to the incident using the recently discovered ProxyLogon exploits. Although this has not been confirmed by Acer either.

It is paramount that all businesses with on-premise Microsoft Exchange servers patch their systems as soon as possible. Bad actors continue to exploit these vulnerabilities in the wild with devastating effects. Furthermore, here are some additional points of emphasis for protecting yourself and your business from ransomware infection:

  • Scrutinize every email for suspicious senders, hyperlinks, attachments, and overall content
    • About 1/4 ransomware infections are delivered via phishing (source)
    • About 4/10 people click on hyperlinks in phishing emails at least once a day (source)
  • Advocate for, or implement, social engineering training and email-level filtering if your business does not already have it to better filter malicious content
    • Continuous, comprehensive phishing training reduces phishing susceptibility dramatically across all industry sectors (source)
  • Download and use only known-good software
  • Ensure all of your systems and software are patched and up-to-date
  • Use existing network security controls to block common exploits and ransomware. For instance, WatchGuard Fireboxes have IPS signatures for the remote Hafnium exploit, and our anti-malware services can detect and block most malware.
  • Implement endpoint security and anti-virus software. WatchGuard Adaptive Defense 360 (AD360) can help!.
  • Backup, Backup, Backup. Backup your data!

Share This:

Related

Filed Under: Editorial Articles, Featured Tagged With: ransomware

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • The RCE Vulnerability That Wasn’t
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • CISA Warns of Weaponized RMM Software
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • Report Roundup
  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use