Acer has been hit with a $50 million ransomware demand, according to news reports. 

This appears to be one of the biggest ransomware demands to date, BleepingComputer reports. After inquiries, Acer did not provide a definitive answer if they had suffered a REvil ransomware attack. Instead, they said, "Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries." 

The computer giant also said the investigation was "ongoing" and that "for the sake of security," they were "unable to comment on details."

Ivan Righi, Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, “Acer's identity and data was posted on Sodinokibi's (aka REvil) data leakage site "Happy Blog" on March 18, 2021, and the data allegedly exposed included client lists, payment form applications, and financial documents. A leak of the ransom note revealed that Acer had until March 28, 2021, to pay a ransom of XMR 214,151 (Monero) (USD 50 million). If the ransom was not paid within the stipulated date, the ransom would double to USD 100 million."

Righi explains that the REvil ransomware group is known for its high ransom demands, with a recent example being its USD 30 million ransom demanded from Dairy Farm in February 2021. "It is not known if any of REvil's victims have paid these exorbitant ransom demands, although it is unlikely. The large demand suggests that REvil likely exfiltrated information that is highly confidential, or information that could be used to launch cyberattacks on Acer's customers."

According to BleepingComputer, the attack may suggest that the REvil ransomware gang may have successfully weaponized the Microsoft Exchange ProxyLogon vulnerabilities to gain access to Acer. "Advanced Intel's Andariel cyberintelligence system detected that one particular REvil affiliate pursued Microsoft Exchange weaponization," Vitali Kremez told BleepingComputer.

It appears cybercriminals behind the DearCry have also used the ProxyLogon vulnerability, but if REvil did exploit this vulnerability, it would be the first time a major ransomware gang used this attack vector, BleepingComputer reports.

Oliver Tavakoli, CTO at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyberattackers, says, “It’s to be expected that the Microsoft Exchange Server vulnerabilities will be leveraged by a number of actors with varying objectives over the coming weeks and months. Targeted ransomware actors like REvil will see this as a particular boon as the many bespoke steps of an attack (infiltration, reconnaissance, gaining access to valuable data) can be short-circuited with a direct attack on an organization’s Exchange server. The size of the ransom request comes down to threat actors testing the market with a fantastical opening gambit – I would guess that Acer would either pay no ransom or would negotiate a much reduced amount.”

Righi adds, "REvil allegedly targeted Microsoft Exchange server vulnerabilities in attacks against Acer, which are becoming increasingly targeted by ransomware groups, as well as many other threat actors. Other ransomware groups targeting ProxyLogon vulnerabilities have included "DearCry" and "BlackKingdom", but it is likely there are more undiscovered instances in the wild. Mitigation for Exchange server vulnerabilities include applying the security updates issued by Microsoft and scanning systems for traces of attacks."

Righi explains that frequent ransomware infection and attack vectors include weaponized attachments via phishing and the targeting of remote desktop protocol (RDP). "Ransomware operators also may target systems that are pre-infected with other types of malware. Organizations should create a robust security awareness program that trains employees to identify suspicious emails and report them to an incident response authority. Organizations should also restrict RDP behind an RDP Gateway and enable Network Level Authentication to provide security benefits if RDP is required to be Internet-facing.”

Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, says, “Throughout 2021, comments have been made and research has shown that ransomware has been on a downward trend. One thing to consider is that there has been some successful takedown activity by law enforcement last year and early this year, which could mean that lower level cyber criminals or less capable attackers have been removed from the scene (temporarily). This in turn means that the real players have been waiting for a real opportunity and this could be one of them."

'Another consideration is that the situation like the one with Microsoft Exchange has not come around in some time where a technology so prolific was so easily exploited. This also presents an opportunity that ransomware operators simply could not pass up. The name of the game in ransomware is finding easy entry points and that is what the Exchange vulnerability presented," Hoffman notes. 

He adds. "The third consideration is that cyber criminals have been investing their time in supply chain and developers tool attacks which has reduced the focus on ransomware attacks since they are now playing the “long game”. This presents an opportunity in itself because attackers who saw the payoff from these supply chain attacks left a gap where ransomware operators have more available attack surface (meaning ransomware will become a bull market again).”