REvil/Sodinokibi Ransomware Gang Extorts Apple Through Supply Chain Attack

April 22, 2021 | 3 minute read

The REvil/Sodinokibi ransomware gang is trying to extort Apple following an attack against one of the tech giant’s business partners. According to Bloomberg News, someone using the moniker “Unknown” announced on April 18 that the REvil/Sodinokibi gang was about to disclose their “largest attack ever.”

This post was written in Russian, and it showed up in a channel on the XSS digital crime forum that REvil/Sodinokibi’s handlers use to attract new recruits. Two days later, the ransomware gang unveiled on their Happy Blog data leaks website that they had attacked Quanta Computer, a laptop manufacturer and business partner of Apple.

Bleeping Computer reviewed a Tor payment page sent to Quanta where the attackers demanded that their victim pay $50 million by April 27 in exchange for a decryption key. That’s the same amount of money they insisted on receiving from Acer about a month prior. They went on to state that the ransom amount would increase to $100 million and remain at that amount until a countdown on that page ran out, at which time they threaten to release exfiltrated data from the target.

This double-extortion tactic by ransomware purveyors is becoming increasingly common, as attackers seek to leverage stolen data with the threat to make it public should a target refuse to make the ransom payment, rendering data backups an ineffective recovery measure. Ultimately, prevention is the only viable means to protect an organization against ransomware attacks.

REvil/Sodinokibi’s Pivot to Apple

A representative for the REvil/Sodinokibi gang attempted to engage Quanta Computer in a chat room in mid-April, per Bloomberg News. They informed the laptop manufacturer that they had stolen “all local network data” and that they wanted $50 million for the decryption key.

Quanta Computer confirmed in a statement that it had suffered a digital attack, but it mentioned neither REvil/Sodinokibi nor the theft of its data. As quoted by Bloomberg News:

Quanta Computer’s information security team has worked with external IT experts in response to cyber attacks on a small number of Quanta servers. We’ve reported to and kept seamless communications with the relevant law enforcement and data protection authorities concerning recent abnormal activities observed. There’s no material impact on the company’s business operation.

It added that it had activated its digital security defense system, upgraded its digital security architecture and resumed its internal services following those attacks.

A couple of days after first hearing from the attackers, someone from Quanta responded, saying that they were “not the person in charge of the company,” and explained that they wanted clarification on the malicious actors’ demands. The REvil/Sodinokibi representative threatened to publish Apple’s data shortly thereafter.

A Spring-Loaded Data Leak

In their initial blog post, REvil/Sodinokibi’s handlers explained in their post that they had decided to wait to unveil the attack until Apple’s “Spring Loaded” event on April 20. There, the tech giant announced a new line of iPad Pro tablets equipped with its M1 chip and a redesigned iMac with its M1 chip, as reported by The Verge.

The malicious actors also kept busy during the event by publishing some of Quanta’s stolen files including proprietary blueprints for new Apple devices. They’re now demanding that Apple pay $50 million by May 1. In the meantime, the attackers promised to publish new files stolen from Quanta every day, Bloomberg News noted.

A Broader View of the Threat Landscape

Sam Curry, chief security officer at Cybereason, explained that geopolitical tensions could be at play in this ransomware incident, stating: “The shocking Apple cyberattack is a reminder that ransomware sits at the forefront of a new cyber war that nation-states are waging on western corporations and government agencies. The specter of the Russian government in the shadows can’t be ignored because it comes at a time of cyber saber-rattling between the U.S. and Russia.”

Most recently, the White House announced a new round of sanctions to punish Russia for its “harmful foreign activities.” Those actions include prohibiting U.S. financial institutions from participating in the primary market for ruble or non-ruble denominated bonds that are issued after June 14, 2021.

Russian President Vladimir Putin responded to the Biden Administration’s sanctions by expelling 10 U.S. diplomats and blacklisting eight current and former U.S. officials, as reported by The Washington Post.

“This attack on the supply chain of the largest supplier of consumer-used computing devices is not a coincidence,” Curry noted. “Either REvil is benefitting indirectly from pariah policies related to cybercrime in Russia or is directly taking orders from a government sending a message around the world to Washington. Either way, this is one to watch as only the ongoing story unfolds.”

That doesn’t mean organizations can wait to defend themselves against ransomware, however. Curry is of the same mindset.

“These bold and brazen attacks are coming faster and more frequently than ever before,” Curry said. “And with ransom demands skyrocketing from a few thousand dollars to $50 million or more, it is time for the private and public sector to put any difference aside to come together to find solutions.”

Those solutions include improving organizations’ ability to track Indicators of Behavior (IOBs) instead of Indicators of Compromise (IOCs). Under this operation-centric approach to their digital security, organizations can visualize an attack chain and shut it down regardless of whether anyone has seen it before.

David Bisson
About the Author

David Bisson

David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence and Tripwire's The State of Security Blog, and he's a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.

All Posts by David Bisson