Taiwanese electronics company Acer -- one of the world's top 10 laptop and desktop makers -- has been hit with a $50 million ransom demand by a cybercrime syndicate, which has posted a range of internal documents to its darkweb site. It appears possible that the intrusion vector was an unpatched Microsoft Exchange server.
Acer has not publicly confirmed a ransomware attack. The company told Bleeping Computer (which first reported the breach): "Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries."
Valery Marchive of LegMagIT, a French IT publication, appears to have identified an REvil ransomware sample used in the Acer attack; a ransom note and transcripts of conversations between Acer and the cybercriminals have also emerged. It is not clear how much of Acer's network the attack has compromised.
The incident, first reported Friday March 19, came as multiple companies were hit in the same week by ransomware attacks. At the opposite end of the scale was a small education Academy in the UK which saw a string of schools hit. The Inspire Education Group appears to have been able to restore core services rapidly and claims not to have suffered any data exfiltration after multiple schools in Peterbrough were hit.
Acer data breach: Taiwanese firm cites "abnormal situation"
Richard Hughes, Head of Technical Cyber Security at A&O IT Group noted in an emailed comment: "The $50 million demand is the highest currently known and whilst shocking only serves to demonstrate the potential that the perpetrators see in this form of attack... There is no guarantee that an organisation will be able to decrypt data after paying a ransom as ransomware does not go through strict quality control and often contains bugs that may prevent successful recovery. It is more important than ever to conduct regular security assessments and ensure that the latest security patches are tested and deployed as soon as they are available."
He added: "Organisations should also consider the design of their environments to help prevent the spread of an attack should the worst happen.”
As the National Cyber Security Centre (NCSC) notes crisply: "Up-to-date backups are the most effective way of recovering from a ransomware attack, you should do the following.
- Make regular backups of your most important files - it will be different for every organisation - check that you know how to restore files from the backup, and regularly test that it is working as expected.
- Ensure you create offline backups that are kept separate, in a different location (ideally offsite), from your network and systems, or in a cloud service designed for this purpose, as ransomware actively targets backups to increase the likelihood of payment. Our blog on 'Offline backups in an online world' provides useful additional advice for organisations.
- Make multiple copies of files using different backup solutions and storage locations. You shouldn't rely on having two copies on a single removable drive, nor should you rely on multiple copies in a single cloud service.
- Make sure that the devices containing your backup (such as external hard drives and USB sticks) are not permanently connected to your network. Attackers will target connected backup devices and solutions to make recovery more difficult.
- You should ensure that your cloud service protects previous versions of the backup from being immediately deleted and allows you to restore to them. This will prevent both your live and backup data becoming inaccessible - cloud services often automatically synchronise immediately after your files have been replaced with encrypted copies.
- Ensure that backups are only connected to known clean devices before starting recovery.
- Scan backups for malware before you restore files. Ransomware may have infiltrated your network over a period of time, and replicated to backups before being discovered.
- Regularly patch products used for backup, so attackers cannot exploit any known vulnerabilities they might contain."