The notorious REvil ransomware gang recently targeted a Microsoft Exchange server on Taiwanese PC giant Acer’s domain, according to Advanced Intelligence CEO Vitali Kremez.
Advanced Intel’s Andariel cyber-intelligence platform detected that an affiliate of REvil attempted had to weaponize Microsoft Exchange, Kremez told CRN. Data collected by Andariel on March 5 shows that Acer’s Exchange server had been targeted, according to a screenshot from BleepingComputer, which first reported the news. REvil claimed on their leak site Thursday that they had broken into and stolen Acer’s unencrypted data.
The REvil attack would represent an escalation in the massive campaign against Microsoft Exchange servers, which first came into the public eye March 3 when the Redmond, Wash.-based software giant disclosed four vulnerabilities in on-premise versions of Exchange. Adversaries last week begun deploying DearCry ransomware on victim systems after hacking into unpatched Exchange servers, Microsoft said.
Unlike DearCry – which BleepingComputer said is a smaller operation with fewer victims – REvil is one of the most infamous ransomware operators around, bursting onto the scene in 2019 when it unleashed a devastating ransomware attack on 22 Texas towns and countries via TSM Consulting, their MSP. Microsoft declined to comment on the BleepingComputer report.
It’s possible the REvil affiliate that went after Acer also works with other threat actors, so other groups might now also be able to target Exchange servers, according to Brett Callow, a threat analyst with New Zealand-based Emsisoft. As of last week, there were still approximately 80,000 older Exchange servers that couldn’t directly apply Microsoft’s security updates, Palo Alto Networks told BleepingComputer.
The REvil affiliate behind the Acer attack demanded a US$50 million ransom, LeMagIT reported Friday afternoon. In a conversation that started March 14, the attackers offered Acer a 20 percent discount if payment was made by this past Wednesday. In return, the REvil affiliate said they’d provide a decryptor, a vulnerability report, and the deletion of stolen files, according to BleepingComputer.
On their public leak site, REvil posted alleged images from Acer’s financial spreadsheets, bank balances, and bank communications. The US$50 million ask of Acer is the largest-ever ransom demand to become publicly known, Callow said, larger than the US$42 million REvil wanted from celebrity law firm Grubman Shire Meiselas & Sacks, who counted Nicki Minaj, Mariah Carey and LeBron James among its clients.
Acer wouldn’t comment on whether it was hit by ransomware, the size of the ransom demanded, or if its Microsoft Exchange servers were targeted. “Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries,” an Acer spokesperson told CRN.
REvil’s claim to fame is democratizing access to its tools through an affiliate model, giving groups around the world access to its technology, Proofpoint EVP of cybersecurity strategy told CRN last year. The ransomware operator has gone after affiliates with some capability around network intrusion, and having more actors under the REvil umbrella has allowed the group to dramatically scale up its attacks.
The group followed in the footsteps of RobinHood and Maze in December 2019 when it tried to extort organizations not paying the ransom by publishing victim data to a leak site, CrowdStrike SVP of Intelligence Adam Meyers told CRN in 2020.