Gorodenkoff - stock.adobe.com

Acer hit by apparent attack from REvil ransomware group

Acer told SearchSecurity in a statement that it has 'reported recent abnormal situations observed to the relevant law enforcement.' However, it did not confirm a ransomware attack.

Acer has been hit by an apparent cyber attack, according to a post on ransomware group REvil's dark web site.

The post and alleged leak was published Thursday onto REvil's dark web leak site, titled "Happy Blog." The posting, which SearchSecurity independently viewed, contained a long list of supposed financial records from the Taiwanese PC vendor. It's unclear whether REvil threat actors deployed ransomware within Acer's network or merely stole corporate data.

SearchSecurity contacted Acer Thursday to inform the company of the post and requested comment on the alleged attack. Acer responded with a statement Friday morning.

"Acer routinely monitors its IT systems, and most cyberattacks are well defensed. Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries," the statement read. "We have been continuously enhancing our cybersecurity infrastructure to protect business continuity and our information integrity. We urge all companies and organizations to adhere to cyber security disciplines and best practices, and be vigilant to any network activity abnormalities."

UPDATE: A REvil ransomware sample on malware analysis site Hatching Triage was discovered by TechTarget sister publication LeMagIT Friday, which contained a link to a REvil ransomware demand for $50 million in Monero (213,151 XMR as of publishing).

SearchSecurity independently viewed the ransom demand link included in the malware sample. Along with the demand was a "chat support" tab that contained an apparent chat window between threat actors and a negotiator working on behalf of an unnamed victim. As proof of the breach, the threat actors provided some data, including a link to the Happy Blog post that contained Acer data.

Acer REvil ransomware
Threat actors demanded a ransom of $50 million from Acer.

The negotiator appeared surprised by the high demand and tried to get the threat actors to lower it, but the threat actors abruptly broke off negotiations in apparent frustration. The site had a remaining time of approximately 8 days, 18 hours, at which point the Monero price would double to $100 million.

Threat detection vendor Emsisoft notified SearchSecurity of the posting on REvil's Happy Blog. Emsisoft threat analyst Brett Callow said in an email that threat actors are getting better at hitting large targets.

"While most ransomware victims are still small businesses, threat actors have become increasingly adept at penetrating the networks of much larger enterprises. And, of course, that means bigger ransoms, which in turn means the criminals are better resourced and more incentivized than ever before," he wrote. "And, of course, data theft has become increasing commonplace too with more than 1,300 organizations having their data stolen and posted online in 2020."

REvil, also known as Sodinokibi, was first identified by Cisco Talos in 2019 and has maintained a significant level of activity in the years since.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing