A $50m ransomware demand made against PC manufacturer Acer by the REvil/Sodinokibi cybercrime syndicate appears the highest ever made. Details of the record-breaking double-extortion cyber attack first emerged on 18 March, with financial data exfiltrated from the Taiwan-based firm by the REvil gang published to its dark web leak site after initial negotiations broke down. Subsequent investigations by Computer
Weekly’s sister sites LeMagIT and SearchSecurity are credited with uncovering the ransomware demand for the equivalent of $50m to be paid in the monero cryptocurrency. According to LeMagIT, the gang had offered a 20% discount on their original demand provided the money was handed over by 17 March. Acer’s negotiators had offered $10m. At the time of writing, the gang has given Acer until 28 March to pay, at which point the ransom demand will double.
“Acer routinely monitors its IT systems, and most cyber attacks are well defenced,” said Acer in a statement.
“Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.
“We have been continuously enhancing our cyber security infrastructure to protect business continuity and our information integrity. We urge all companies and organizations to adhere to cyber security disciplines and best practices and be vigilant to any network activity abnormalities.”
Separately, BleepingComputer’s investigation into the attack suggests that the REvil gang may have successfully weaponized the Microsoft Exchange ProxyLogon vulnerabilities to access Acer’s network.
Although limited infections of a new strain of ransomware – DearCry – have been observed taking place via ProxyLogon, this would be the first public disclosure of a significant ransomware operation exploiting the vulnerabilities, which leave on-premise Microsoft Exchange Servers open to takeover.