Details of the record-breaking double-extortion cyber attack first emerged on 18 March, with financial data exfiltrated from the Taiwan-based firm by the REvil gang published to its dark web leak site after initial negotiations broke down.
Subsequent investigations by Computer Weekly’s sister sites LeMagIT and SearchSecurity are credited with uncovering the ransomware demand for the equivalent of $50m, to be paid in the monero cryptocurrency.
According to LeMagIT, the gang had offered a 20% discount on their original demand provided the money was handed over by 17 March. Acer’s negotiators had apparently offered $10m. At the time of writing, the gang has given Acer until 28 March to pay, at which point the ransom demand will double.
“Acer routinely monitors its IT systems, and most cyber attacks are well defenced,” said Acer in a statement.
“Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.
“We have been continuously enhancing our cyber security infrastructure to protect business continuity and our information integrity. We urge all companies and organisations to adhere to cyber security disciplines and best practices, and be vigilant to any network activity abnormalities.”
Separately, BleepingComputer’s investigation into the attack suggests that the REvil gang may have successfully weaponised the Microsoft Exchange ProxyLogon vulnerabilities in order to gain access to Acer’s network.
Although limited infections of a new strain of ransomware – DearCry – have been observed taking place via ProxyLogon, this would be the first public disclosure of a major ransomware operation exploiting the vulnerabilities, which leave on-premise Microsoft Exchange Servers open to takeover.
Thycotic chief security scientist Joseph Carson commented: “What we are seeing with ransomware is that cyber criminals continue to abuse privileged access, which enables them to steal sensitive data and deploy malicious ransomware.
“This means that organisations should prioritise privileged access as a top security measure to reduce the risks of ransomware and ensure strong access controls and encryption for sensitive data.”
Webroot senior threat research analysis Kelvin Murray said the scale of the attack on a prominent target no doubt reflected the increasing sophistication of the cyber criminal underworld.
“This was no doubt a meticulously planned attack which involved target research, professional hacking and uncrackable encryption,” he said. “Fifty million dollars is a huge ransom demand, but when the victim is a high-profit business, then the world’s top ransomware gangs can afford to be cocky with their demands too.”
Richard Hughes, head of technical cyber security at the A&O IT Group, commented: “Ransomware attacks are a major source of income for cyber criminals, with a huge reward for very little effort. The $50m demand is the highest currently known and while shocking, only serves to demonstrate the potential that the perpetrators see in this form of attack.
“Acer should not consider paying this ransom, as doing so would simply keep this as a viable business model. It should also be noted that there is no guarantee that an organisation will be able to decrypt data after paying a ransom as ransomware does not go through strict quality control and often contains bugs that may prevent successful recovery.
“It is more important than ever to conduct regular security assessments and ensure that the latest security patches are tested and deployed as soon as they are available. Organisations should also consider the design of their environments to help prevent the spread of an attack should the worst happen.”