March 23, 2021 | 3 minute read
The Sodinokibi/REvil ransomware gang has reportedly infected Taiwanese multinational electronics corporation Acer and demanded a ransom of $50 million. Those responsible for the Sodinokibi ransomware strain announced on their data leaks website that they had breached the computer giant.
The attackers, with whom we are very familiar, published images of financial statements, banking communications and other files that they had allegedly stolen from Acer as proof of their responsibility for the attack.
Upon hearing of this security incident, Bleeping Computer reached out to Acer to confirm the infection. The computer giant responded with the following statement:
Acer routinely monitors its IT systems, and most cyberattacks are well defensed. Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.
We have been continuously enhancing our cybersecurity infrastructure to protect business continuity and our information integrity. We urge all companies and organizations to adhere to cyber security disciplines and best practices, and be vigilant to any network activity abnormalities.
The company also said that it was in the process of conducting an ongoing internal investigation to learn the full extent of what had happened. In an email conversation with Acer, a representative for the Sodinokibi gang demanded an incredible ransom payment of $50 million. This was the largest ransom ask made to date—many more times higher than what the Conti gang wanted from IoT manufacturer Advantech in November 2020.
The attackers said that they would reduce the ransom demand by 20%, provide a decryptor, send over a vulnerability report, and delete all files affected by the ransomware strain if the computer corporation agreed to pay by March 17.
The reported ransomware attack against Acer is yet another reminder that threat actors are essentially just extortionists. With a $50 million ransom demand, they are trying to triangulate the right price for the market, so to speak. The ransom demand is based on what they think the value of the hostage data and computing power of the network is worth.
As with pricing on the legitimate side of the business world, this is about leaving no money behind and understanding the customer—or in this case, the victim. Previous payments by companies are a good guide, as are other factors like estimated cash flow that’s been impacted, the ability of the victim to pay, the value of the data or services that have been denied, and so on.
As for negotiation, authorities advise victims to never pay a ransom. If your organization is considering making a ransomware payment, the FBI recommends involving legal counsel and insurance partners, as well as consulting with the authorities for guidance as to whether it is legal to pay at all. If an attacker resides in a sanctioned nation, there may be legal prohibitions against making a ransomware payment. Whether to pay a ransom or not remains an internal decision that each company needs to make carefully.
For Acer and other companies recently targeted by ransomware attacks, simply recovering doesn't solve everything. One of the primary goals is getting operational as quickly as possible, but there are other objectives that are also important.
Data backups are critical to a swift recovery, but they are not always a viable solution with regard to ransomware recovery. They can be compromised, as can other failover and redundancy plans. In addition,the bad guys understand how recovery is accomplished and have developed ever more insidious tactics to undermine these recovery options.
Data backups lose strategic value when organizations are confronted by attackers threatening to publish exfiltrated data if the ransom demand isn’t met. This double-extortion tactic is becoming increasingly common, as attackers seek to leverage stolen data with the threat to make it public should a target refuse to make the ransom payment, effectively rendering data backups an ineffective measure. Ultimately, prevention is the only viable means to protect an organization against ransomware attacks.
Ransomware infections used to be the result of somewhat random or chance encounters with malicious websites, then evolved to more targeted phishing campaigns. The reality today is that ransomware attacks have evolved into multi-stage attack operations. It’s important to recognize that ransomware is not simply an evolution of traditional malware, but an element of increasingly complex and highly targeted operations.
Organizations need a multi-layered approach to prevention, detection and response that can surface an attack early, before any data is compromised or encrypted. Cybereason delivers the multi-layered prevention, detection and response required to defeat ransomware attacks that continue to evade traditional and nextgen security solutions:
To quote the W.O.P.R. supercomputer from the movie War Games, “the only winning move is not to play.” That is why it’s essential to have the capabilities in place to proactively detect and prevent ransomware attacks.
Defenders can reverse the adversary advantage and take the proverbial high ground by adopting a multi-layered defense strategy that takes an operation-centric approach. Talk to a Cybereason Defender and learn how to future-proof your organization against ransomware and other advanced threats.
The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.All Posts by Cybereason Security Team