Sodinokibi/REvil Ransomware Gang Hit Acer with $50M Ransom Demand

The Sodinokibi/REvil ransomware gang has reportedly infected Taiwanese multinational electronics corporation Acer and demanded a ransom of $50 million. Those responsible for the Sodinokibi ransomware strain announced on their data leaks website that they had breached the computer giant.

The attackers, with whom we are very familiar, published images of financial statements, banking communications and other files that they had allegedly stolen from Acer as proof of their responsibility for the attack.

Upon hearing of this security incident, Bleeping Computer reached out to Acer to confirm the infection. The computer giant responded with the following statement:

Acer routinely monitors its IT systems, and most cyberattacks are well defensed. Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.

We have been continuously enhancing our cybersecurity infrastructure to protect business continuity and our information integrity. We urge all companies and organizations to adhere to cyber security disciplines and best practices, and be vigilant to any network activity abnormalities.

The company also said that it was in the process of conducting an ongoing internal investigation to learn the full extent of what had happened. In an email conversation with Acer, a representative for the Sodinokibi gang demanded an incredible ransom payment of $50 million. This was the largest ransom ask made to date—many more times higher than what the Conti gang wanted from IoT manufacturer Advantech in November 2020.

The attackers said that they would reduce the ransom demand by 20%, provide a decryptor, send over a vulnerability report, and delete all files affected by the ransomware strain if the computer corporation agreed to pay by March 17.

Responding to Ransomware Attacks

The reported ransomware attack against Acer is yet another reminder that threat actors are essentially just extortionists. With a $50 million ransom demand, they are trying to triangulate the right price for the market, so to speak. The ransom demand is based on what they think the value of the hostage data and computing power of the network is worth.

As with pricing on the legitimate side of the business world, this is about leaving no money behind and understanding the customer—or in this case, the victim. Previous payments by companies are a good guide, as are other factors like estimated cash flow that’s been impacted, the ability of the victim to pay, the value of the data or services that have been denied, and so on.

As for negotiation, authorities advise victims to never pay a ransom. If your organization is considering making a ransomware payment, the FBI recommends involving legal counsel and insurance partners, as well as consulting with the authorities for guidance as to whether it is legal to pay at all. If an attacker resides in a sanctioned nation, there may be legal prohibitions against making a ransomware payment. Whether to pay a ransom or not remains an internal decision that each company needs to make carefully.

For Acer and other companies recently targeted by ransomware attacks, simply recovering doesn't solve everything. One of the primary goals is getting operational as quickly as possible, but there are other objectives that are also important.

Data backups are critical to a swift recovery, but they are not always a viable solution with regard to ransomware recovery. They can be compromised, as can other failover and redundancy plans. In addition,the bad guys understand how recovery is accomplished and have developed ever more insidious tactics to undermine these recovery options.

Data backups lose strategic value when organizations are confronted by attackers threatening to publish exfiltrated data if the ransom demand isn’t met. This double-extortion tactic is becoming increasingly common, as attackers seek to leverage stolen data with the threat to make it public should a target refuse to make the ransom payment, effectively rendering data backups an ineffective measure. Ultimately, prevention is the only viable means to protect an organization against ransomware attacks.

Defending Against Ransomware Attacks

Ransomware infections used to be the result of somewhat random or chance encounters with malicious websites, then evolved to more targeted phishing campaigns. The reality today is that ransomware attacks have evolved into multi-stage attack operations. It’s important to recognize that ransomware is not simply an evolution of traditional malware, but an element of increasingly complex and highly targeted operations.

Organizations need a multi-layered approach to prevention, detection and response that can surface an attack early, before any data is compromised or encrypted. Cybereason delivers the multi-layered prevention, detection and response required to defeat ransomware attacks that continue to evade traditional and nextgen security solutions:

  • Endpoint Controls: Cybereason hardens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls and enforcing whole-disk encryption across a range of device types, both fixed and mobile.
  • Intelligence Based-Antivirus: Cybereason block known ransomware variants leveraging an ever-growing pool of threat intelligence based on previously detected attacks.
  • NextGen Antivirus: Cybereason NGAV is powered by machine learning and recognizes malicious components in code to block unknown ransomware variants prior to execution.
  • Fileless Ransomware Protection: Cybereason disrupts attacks utilizing fileless and MBR-based ransomware that traditional antivirus tools miss.
  • Behavioral Document Protection: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that leverage malicious macros and other stealthy attack vectors.
  • Anti-Ransomware and Deception: Cybereason uses a combination of behavioral detections and proprietary deception techniques surface the most complex ransomware threats and end the attack before any critical data can be encrypted.

To quote the W.O.P.R. supercomputer from the movie War Games, “the only winning move is not to play.” That is why it’s essential to have the capabilities in place to proactively detect and prevent ransomware attacks.

Defenders can reverse the adversary advantage and take the proverbial high ground by adopting a multi-layered defense strategy that takes an operation-centric approach. Talk to a Cybereason Defender and learn how to future-proof your organization against ransomware and other advanced threats.

Cybereason Team
About the Author

Cybereason Team

Cybereason is dedicated to partnering with Defenders to end attacks at the endpoint, in the cloud and across the entire enterprise ecosystem. Only the AI-driven Cybereason XDR Platform provides predictive prevention, detection and response that is undefeated against modern ransomware and advanced attack techniques. The Cybereason MalOp™ instantly delivers context-rich attack intelligence across every affected device, user and system with unparalleled speed and accuracy. Cybereason turns threat data into actionable decisions at the speed of business.

All Posts by Cybereason Team