Acer, the sixth largest computer manufacturer, may have fallen victim to a large-scale ransomware attack. Explosive: Exchange servers may have served as the gateway.
Ransomware attack: Acer to pay 50 million US dollars
50 million US dollars in cryptocurrency: that’s how much money cybercriminals are apparently demanding for unlocking encrypted company data from Taiwanese computer manufacturer Acer. They had previously attacked its IT systems with the ransomware “REvil”. This malware spreads across the network and automatically encrypts important, often sensitive data. Cybercriminals usually demand a ransom for decryption. This is reported by the news portal Bleepingcomputer, citing several sources.
According to the report, the hacker group struck on March 14, 2021: Presumably, via an Exchange server, it gained access to the company’s IT infrastructure, captured documents, and extensively encrypted data. Screenshots that have surfaced on the Internet are said to show some of the captured documents – and are likely to put the company under pressure. Among other things, financial and customer data are said to be visible.
Ransom: discount for immediate payment, double if deadline missed
Now the hackers are demanding a ransom of 50 million US dollars. According to Bleepingcomputer, it was able to view a chat between the criminals and Acer representatives. Attackers also use such actions to increase the pressure on their victims.
In this case, the company representatives would have been shocked by the amount of ransom demand. In the further course, the cyber thugs would have offered a 20 percent discount if the sum would flow immediately. On the other hand, if Acer did not comply with the demands by March 28, the hackers would demand $100 million.
Acer did not want to confirm the incident directly to Bleepingcomputer, but spoke of an ongoing investigation and stated that it could not explain any details for security reasons.
Exchange Server as a gateway?
So far, there are no reliable findings as to how the criminals were able to penetrate Acer’s IT system. One possible entry vector is via compromised e-mail servers. The IT portal heise.de reports that there was a mass hack of local Exchange servers by the Hafnium hacker group at the beginning of March.
In the process, they would have exploited the “ProxyLogon” vulnerability, for which Microsoft only released a patch at the beginning of March. Previously, public exploits had become known via which cybercriminals had repeatedly attempted to install ransomware or crypto-miner software on unpatched systems.