Full Report
Acer has suffered a $50 million ransomware attack
Analysis Summary
# Incident Report: REvil Ransomware Attack on Acer ($50 Million Demand)
## Executive Summary
The computer manufacturing giant Acer was targeted by the REvil ransomware gang in an attack where sensitive internal communications and financial balance sheets were exfiltrated. The attackers demanded an unprecedented $50 million ransom, threatening to publish the data online if the deadline was missed. The initial access vector appears to be the exploitation of unpatched Microsoft Exchange Zero-Day vulnerabilities.
## Incident Details
- Discovery Date: Not explicitly stated, but information was posted by REvil on their leak site.
- Incident Date: Prior to March 22, 2021 (when the demand was reported).
- Affected Organization: Acer Corporation
- Sector: Computer Manufacturing / Electronics
- Geography: Taiwan (Headquarters)
## Timeline of Events (Inferred)
### Initial Access
- Date/Time: Unknown prior to disclosure.
- Vector: Exploitation of **Microsoft Exchange Server Zero-Day Vulnerabilities** (likely CVE-2021-26855 or related issues).
- Details: Attackers targeted the Microsoft Exchange server managing Acer’s domain.
### Lateral Movement
- **Details:** Not specified in the report, but subsequent actions led to the seizure of internal communications and financial balance sheets, implying successful internal reconnaissance and data staging.
### Data Exfiltration/Impact
- **Details:** Sensitive data, including internal communications and financial balance sheets, was seized and held for ransom (double extortion).
### Detection & Response
- **How it was discovered:** The breach and subsequent ransom demand were made publicly known when REvil posted evidence of the data leak on their dark web site.
- **Response actions taken:** Acer was facing an 8-day ultimatum to pay the ransom ($50 million, escalating to $100 million after 8 days) to prevent data publication. (Specific internal response steps are not detailed in the source text.)
## Attack Methodology
- **Initial Access:** Exploitation of unpatched **Microsoft Exchange Zero-Day vulnerabilities**.
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified, though successful exfiltration implies evasion occurred.
- **Credential Access:** Not specified.
- **Discovery:** Not specified, but access to internal communications and financial data suggests internal network reconnaissance occurred.
- **Lateral Movement:** Not specified (implied by data access).
- **Collection:** Internal communications and financial balance sheets.
- **Exfiltration:** Data was exfiltrated to support the double extortion scheme.
- **Impact:** Data encryption likely occurred (standard for ransomware, although the focus here is on exfiltration) and data publication threat (double extortion).
## Impact Assessment
- **Financial:** Ransom demand of **$50 million USD** (largest to date at the time).
- **Data Breach:** Internal communications and financial balance sheets were stolen.
- **Operational:** Not detailed, but the deployment of ransomware typically causes significant operational disruption.
- **Reputational:** Significant negative publicity due to the massive ransom demand and documented compromise of sensitive corporate data.
## Indicators of Compromise
- (No specific network artifacts, IPs, domains, or file hashes were provided in the text, as the article focuses on the discovery and demand.)
## Response Actions
- **Containment measures:** Not explicitly detailed.
- **Eradication steps:** Not explicitly detailed.
- **Recovery actions:** Acer was facing a time-sensitive decision regarding ransom payment versus data restoration/remediation.
## Lessons Learned
- Major organizations can overlook critical, publicly known vulnerabilities (e.g., Exchange Zero-Days).
- The success of the attack highlights gaps in patching and vulnerability management for critical internet-facing systems.
- REvil employed a maximum leverage double-extortion strategy, targeting highly sensitive data (financials, communications).
## Recommendations
- Immediately patch all internet-facing Microsoft Exchange servers to remediate known zero-day vulnerabilities.
- Enhance monitoring around Exchange servers for indicators of compromise related to initial access exploitation.
- Review and enhance overall vulnerability management program, specifically focusing on critical systems.
- Develop and test comprehensive incident response playbooks related to double extortion ransomware scenarios.