The REvil ransomware group has come to prominence recently by infecting networks around the world with ransomware and demanding large sums of money from their victims. The group commonly posts proof of their successful ransomware efforts on their blog, called Happy Blog, where one of their most recent victims, Acer, has appeared on the list. Acer has yet to confirm the ransomware attack, but the evidence seems to suggest the claim to be true.
Investigative work by LeMagIT and SearchSecurity discovered that the REvil group is demanding a record-breaking $50 million demand from Acer, paid in Monero (XMR). The previous known record was $30 million in 2020. However, on March 28th the demand could double to $100 million in a tactic known as double-extortion which is becoming increasingly more common with ransomware campaigns.
The group also posted proof of their intrusion on their blog with internal documentation from Acer showing financial information, customer accounts, and other spreadsheets displaying sensitive information. We have visited this Tor protected site ourselves, and can confirm many pictures of seemingly confidential samples. Other’s have even found the specific chat mechanism on this site the threat actors use to talk with victims, who often try to negotiate price. The landing page for this blog post can be seen in the image below.
Further research into this incident has uncovered a possible attack vector that was used to deploy this ransomware into their network. Vitali Kremez, CEO of Advanced Intel, reported a bad actor had targeted Acer’s Exchange Servers prior to the incident using the recently discovered ProxyLogon exploits. Although this has not been confirmed by Acer either.
It is paramount that all businesses with on-premise Microsoft Exchange servers patch their systems as soon as possible. Bad actors continue to exploit these vulnerabilities in the wild with devastating effects. Furthermore, here are some additional points of emphasis for protecting yourself and your business from ransomware infection:
- Scrutinize every email for suspicious senders, hyperlinks, attachments, and overall content
- Advocate for, or implement, social engineering training and email-level filtering if your business does not already have it to better filter malicious content
- Continuous, comprehensive phishing training reduces phishing susceptibility dramatically across all industry sectors (source)
- Download and use only known-good software
- Ensure all of your systems and software are patched and up-to-date
- Use existing network security controls to block common exploits and ransomware. For instance, WatchGuard Fireboxes have IPS signatures for the remote Hafnium exploit, and our anti-malware services can detect and block most malware.
- Implement endpoint security and anti-virus software. WatchGuard Adaptive Defense 360 (AD360) can help!.
- Backup, Backup, Backup. Backup your data!