At least 15 screenshots of stolen Apple data of upcoming Macbooks were leaked on the day the company unfurled its new line of iPads and iMacs. Turns out the REvil ransomware gang breached a Taiwan-based supplier of Apple and stole data for which they are now demanding $50 million. The event triggered the U.S. DoJ to form a ransomware task force in association with multiple federal agencies.
Cupertino, CA-based Apple Inc has reportedly been targeted in a ransomware attack by the REvil ransomware gang. The company has been directed to fork out $50 million, one of the highest ever ransom demands, in exchange for the data stolen from Quanta Computer, one of the manufacturers of Apple’s MacBook and other products.
The RecordOpens a new window first reported the attack this past Tuesday when operators of the REvil ransomware publicly posted some screengrabs of the stolen data as proof on the malicious group’s data leak site Happy Blog on the same day. The leak coincided with Apple’s Spring Loaded event where it unveiled its latest series of iPads, iMacs, and the new AirTags.
REvil posted on their leak site, “In order not to wait for the upcoming Apple presentations, today we, the REvil group, will provide data on the upcoming releases of the company so beloved by many. Tim Cook can say thank you Quanta. From our side, a lot of time has been devoted to solving this problem.â€
This is the first time that a ransomware gang is extorting the customer of its primary victim, which can possibly open up a new trend among other ransomware groups much like when the Maze ransomware gang gained infamy for pioneering the now hugely popular ransomware double-attack and extortion technique.
REvil’s attack on Apple/Quanta also uses the double-attack and extortion since the attackers stole data data through exfiltration, as opposed to just encrypting it on the victim servers. So instead of simply exchanging money for a decryptor for the encrypted files, this attack technique also entails extortion through data leaks wherein the attacker threatens to publicly release the victim organization’s data if they refuse to pay the ransom.
See Also: 5 Reasons Why Your Business Should Have a Ransomware Plan in 2021
What’s at Stake?
Evidently, stolen data includes schematics of Apple’s fresh new Macbooks designed in March 2021, and possibly other data, for which Quanta has apparently refused to pay up. “Quanta Computer’s information security team has worked with external IT experts in response to cyber attacks on a small number of Quanta servers,†the company said in a statement to BloombergOpens a new window .
Opens a new window
Source: The Record
“We’ve reported to and kept seamless communications with the relevant law enforcement and data protection authorities concerning recent abnormal activities observed. There’s no material impact on the company’s business operation.†Quanta also stated that they are upgrading their cybersecurity systems.
Consequently, the onus to shell out millions has now shifted on Apple, which has been warned that failure to pay would result in more leaks each passing day until May 1.
REvil operators wrote, “Our team is negotiating the sale of large quantities of confidential drawings and gigabytes of personal data with several major brands. We recommend that Apple buy back the available data by May 1.†Meanwhile, the leaked specs have sparked discussion among users over features of the next Apple Macbook.
It remains unclear what other data from Quanta servers the REvil gang, also known as Sodinokibi, have got their hands on. Quanta also serves other market leaders such as HP, LG, Dell, Toshiba, Lenovo, Microsoft, Google, Facebook, etc.
The $50 million ransom is one of the highest ever demanded under a ransomware attack by any ransomware group, a sharp 40% rise over the average ransomware demand ($30 million) recorded last year.
The FBI’s stance on paying ransom demands is clear – it advises organizations not to pay. “The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity†says an official releaseOpens a new window . However, given the way ransomware attacks are evolving, it seems that the FBI’s statement fails to take into account the trend of data theft-driven ransomware attacks.
Possible Drivers
The motivation behind the attack is unknown as of now but the threat actors will lead one to believe, going by their statement on Happy Blog, that they did it “in order not to wait for the upcoming Apple presentations.†But the fact that the United States imposed sanctions on Russia on April 15Opens a new window over the involvement of a Russian nation-state cyber group in the massive SolarWinds hack, the U.S. furore over jailing of Alexei Navalny, and the alleged Russian interference in the U.S. elections should not be discounted.
However, there is no reason to believe that REvil, which is based out of Russia, is a state-sponsored ransomware group. Besides, targeting a Taiwan-based vendor of an American company makes little sense when it comes to the capabilities of the Russian cyber space, especially when you look at the profundity of the impact the software supply chain attack had on SolarWinds, and by extension its customers.
The U.S. response to the incident has come in the form of the creation of a ransomware task force, CNN reportedOpens a new window . The task force will lead coordinated federal effort to minimize the threat from ransomware attack.
Acting Deputy Attorney General John Carlin in his letter to department heads at the DoJ, the FBI, and US attorneys wrote, “Although the Department has taken significant steps to address cybercrime, it is imperative that we bring the full authorities and resources of the Department to bear to confront the many dimensions and root causes of this threat.â€
Further, a private ransomware task force announced by The Institute for Science and Technology in December 2020Opens a new window , and consisting of McAfee, Citrix, Rapid7, Microsoft, Cyber Threat Alliance, Global Cyber Alliance, Cybereason, and others, is expected to deliver a framework to neutralize the threat from ransomware on April 29Opens a new window .
See Also: Looking for an Antidote to Tackle the Ransomware Pandemic? Try These Prevention Tricks
Previous REvil/Sodinokibi Operations
The REvil strain came into existence in April 2019 and has since featured in Webroot’s list of top 10 nastiest malware, both in 2019 and 2020. By October 2020, operators of REvil had targeted 140 organizations, 32% of which had their data leaked.
Besides direct attacks, the group also leases out the strain and operates in a ransomware-as-a-service model. According to threat analysts at IBM Security X-Force Incident Response, Sodinokibi was behind almost one in three (29%) ransomware attacks in 2020.
IBM estimates that the group has netted at least $81 million in profits. Other victims of the REvil group include Kentucky-based maker of the popular whiskey Jack Daniels in August 2020, celebrity law firm Grubman Shire Meiselas & Sacks in May 2020, and forex company Travelex in January 2020, and the world’s sixth largest PC vendorOpens a new window Acer in March 2021.
The recent ransomware event involving Quanta, though, won’t materially impact Apple’s business operations, however, it clearly enlarges the risk horizon of supply chain vendors worldwide.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!