Acer has suffered a “double tap” ransomware attack, and the ransom demanded is a new record – $50M.
The network is believed to have been infected via the recent MS Exchange vulnerability which we have commented on before.
In a “double-tap” attack, as well as the victim’s files being encrypted, data is exfiltrated and released to the public to increase the pressure on the victim. Aside from the reputational risk of the data being released, where the data has value REvil have in the past offered to auction it off to the highest bidder.
As can be seen in the original demand show above, initially the demand was for $50M to be paid by the 28th of March. A 20% discount was offered if the payment was made by 17th March, but the demand was to double to $100M if not paid by the original deadline.
A noteworthy element of this attack is that the payment is demanded in the privacy focussed cryptocurrency, Monero, rather than BitCoin.
The REvil group also offered to provide a vulnerability report to prevent Acer being targetted by other ransomware groups. It is not uncommon for victims to be immediately reinfected – sometimes by the same criminals after paying a ransom.
However, in this case an attempt by Acer to bargain $50M down to $10M seems to have resulted in the release of exfiltrated data, and the deadline for payment has now passed, doubling the original demand.
Acer have not made any substantive statement about the incident, saying only that “There is an ongoing investigation and for the sake of security, we are unable to comment on details.”. REvil are known for making very high demands, but it is hard to judge how often they are paid, or paid in full. We may never know the outcome here, but so far no further data has been released since the deadline passed.
The business model behind ransomware attacks has been steadily evolving over time, as effective threat actors become more like businesses, crafting offers and incentives to their victims and diversifying to provide more ways to monetise their activities. In the early days of ransomware some victims paid ransoms but were never able to decrypt their data. Effective ransomware groups have made a point of managing their brands and reputations, as their victims must trust them enough to pay them.
This incident is mainly noteworthy because of the eye-watering ransom demand, but incidents like this happen all the time. If you are concerned about securing your own systems, contact us contact us to find out how our Security Operations Centre can proactively monitor your network for suspicious activity.