REvil Possibly Infecting Unpatched Exchange Severs, Claims Acer as Victim - Binary Defense

Threat Watch

Threat Watch REvil Possibly Infecting Unpatched Exchange Severs, Claims Acer as Victim

REvil Possibly Infecting Unpatched Exchange Severs, Claims Acer as Victim

On March 18^th, the REvil ransomware group (also referred to as Sodinokibi) posted “proof” through their leak site that they infected Taiwanese computer giant Acer. The demand is the largest known to date at a whopping $50 million USD. Acer did not confirm the ransomware infection when reached out to by BleepingComputer, only acknowledging that “recent abnormal situations” had been reported to law enforcement. Below is the full statement:

“Acer routinely monitors its IT systems, and most cyberattacks are well defensed. Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.”

“We have been continuously enhancing our cybersecurity infrastructure to protect business continuity and our information integrity. We urge all companies and organizations to adhere to cyber security disciplines and best practices, and be vigilant to any network activity abnormalities.” – Acer.

Vitali Kremez has told BleepingComputer that Advanced Intel has detected a REvil affiliate targeting an Exchange server in the Acer domain, following weeks of ProxyLogon (CVE-2021-26855) attacks across the internet. It is currently unknown if this was the vector for infection, however.

ANALYST NOTES

Binary Defense highly recommends that all organizations who have yet to patch download Microsoft’s recently released One-Click Microsoft Exchange On-Premises Mitigation Tool. While this does not replace Windows Update in any way, it assists administrators in remediating the recent Exchange attacks (CVE-2021-26855). Binary Defense also highly recommends that organizations follow the guidance in the CISA (Cybersecurity & Infrastructure Agency) and NCSC (National Cyber Security Centre) ransomware guides. These guides contain detailed information for small and large businesses alike, describing how to backup and protect data, creating incident response plans, and more.

Source: https://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/

https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/

https://www.cisa.gov/publication/ransomware-guide

https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks