The REvil ransomware gang is known for highly audacious attacks on the world’s biggest organisations, & its demands for ‘astronomical’ ransoms to match. However, the gang’s latest move on Apple just hours before a splashy new product launch was a bold move, even for the notorious ransomware-as-a-service gang.
The infamous cyber-crime gang could not yet determine whether or not Apple pays the $50 million ransom by May 1 as demanded.
The original attack was launched against Quanta, a US Global Fortune 500 manufacturer of electronics, which claims Apple among its customers. The Taiwanese-based company was contracted to assemble Apple products, including Apple Watch, Apple Macbook Air & Pro, & ThinkPad, from an Apple-provided set of design schematics.
REvil was able to breach the Quanta servers, steal the files & hold them for ransom, according to a statement posted on its dark web site—dubbed the “Happy Blog”—in which it explained Quanta refused to pay the original ransom for the attack, according to a published report.
Increase the Pressure
Once Quanta refused to pay to get the files back, REvil started leaking a set of blueprints for some products to increase the pressure, adding more would be leaked every single day the ransom was unpaid.
In addition, & in order to increase the pressure to pay, REvil decided to start leaking the ripped-off files just hours before Apple’s Spring Loaded event on Tues., including schematics for some new iMacs it debuted there. The company revealed new products at the event.
“In order not to wait for the upcoming Apple presentations, today we, the REvil group, will provide data on the upcoming releases of the company so beloved by many,” according to REvil’s blog post, the report explained. “Tim Cook can say thank you Quanta. From our side, a lot of time has been devoted to solving this problem.”
These events, formerly led by Apple founder Steve Jobs, have become integral to the brand, & are presented with ‘big hype & fanfare’ from Cupertino.
REvil has now said it wants $50m by May 1 from Apple to give the files back. Also, REvil is not known for reticence ; if the group says it has documents from victims & it will post them, it generally will, given previous experience.
“The REvil ransomware gang doesn’t make false promises,” observed Ivan Pittaluga, CTO of enterprise security firm Arc Serve. “They’re notoriously known for leaking data if their demands aren’t met.”
REvil – They Delivered
REvil clearly understood the significance of the leak’s timing. Recorded Future observed someone claiming to be the group’s spokesperson hinted last Sun. on a forum the group was ‘prepping’ for its “loudest attack ever.”
REvil is definitely growing. In Autumn 2020 the person claiming to be the group’s leader stated it expected to make $100m by the end of 2020. With a May 1 deadline for Apple to pay $50m, it looks like the stakes have been upped substantially.
REvil operates a ransomware-as-a-service business, which offers material support to other “affiliates” who handle the technical details of the attack. REvil affiliates get 70-80% of the ransom. The affiliate partners must handle the initial infection, wiping out back-ups & taking the files.
REvil handles ransom negotiations, payment, delivery of the encryptor & develops the software, the REvil leader explained last year.
REvil’s leader also teased a “big attack coming…linked to a very large video game developer” in last Autumn’s published interview.
An international-headline-grabbing attack against Apple would be a big draw that might attract other would-be ransomware attackers to partner with REvil, whose proof of concept is all over the news. Not only is this likely to provide a big payday, but the Apple attack is also turning out to be a publicity coup for their brand.
“It’s clear from these recent attacks that REvil has perfected its approach to extorting companies for large amounts of money with ease,” noted Chandra Basavanna, CEO of Endpoint security firm Sec Pod.
In Mar., REvil, which has been recently on an attack, claimed to hit 9 organisations across Africa, Europe, Mexico & the US. Many of the documents the group suggested that they stole in the attacks appeared upon review to be authentic, according to those who saw the documents.
The demand on Apple also is not the 1st time REvil has demanded such a hefty sum from a tech leader. Last month the group demanded $50m in ransom from computer maker Acer.
Even if Apple does not pay up, the cyber-attack could lead to good financial things for REvil.
“Quanta was likely a target of opportunity & was likely pursued not because it would pay a large ransom, but because it held confidential data belonging to many of its customers & those customers could be extorted for ransoms,” Oliver Tavakoli, CTO at Vectra revealed regarding REvil’s possible motivations.
“Once the data had been extracted from Quanta Computer, the data was likely classified regarding its potential value & whether opportune dates loomed on the calendar which would help create more pressure on the target organisation to pay. Apple met the criteria of deep pockets plus an upcoming product launch date.”
Growing tensions between the US & Russia were probably a side benefit, Tavakoli added.
Tense US-Russia Relations
REvil’s possible connection with the Russian Govt & its high-profile attack on America’s largest tech company should be viewed as another act of aggression by Vladimir Putin to send a signal to the new Biden Administration, states Lior Div, CEO of Cybereason.
“This attack is a direct challenge to the Biden administration from Russia,” Div outlined in a statement. “When the largest US supplier of consumer technology & products is hit by this type of attack, the message from Russia to Western companies & govts. is loud & clear: We can control you.”
Solar Winds Breach
Apple’s attack follows the catastrophic Solar Winds breach, he pointed out, which the US Govt. has attributed to Russian-backed nation-state actors.
“Russia is telling the US that it can steal our blueprints & our IP & that these types of attacks will continue bigger than ever with higher ransom demands,” Div added. “Putin will use the plausible deniability excuse & claim that the hacking group associated with the attack is not connected to Moscow.”
US Department of Justice
Also US Department of Justice announced on April 21, the day following the Apple leaks, that it was launching a new ransomware task force, which will focus on “takedowns of servers used to spread ransomware to seizures of these criminal enterprises’ ill-gotten gains,” according to US Acting Deputy Attorney General John Carlin who wrote in a memo announcing the move.
It is unclear how successful those efforts would be against groups like REvil.
Digital Shadows Analyst & Russian-language underground forum expert Austin Merritt recently explained that even if there is no state sponsorship directly, there is an operating agreement between these threat player groups within Russia, like REvil, that they can conduct their operations from the country but need to direct their attacks outside Russian borders.
Impunity Against the West
He added that these groups can act with ‘Impunity against the West without fear of law enforcement or extradition, leaving them free to grow their operations.
“I have made it a policy not to guess what goes on in Putin’s mind – but the fact that there would be tense relations between the Biden & Putin administrations was easy to predict, & each side is likely to deploy its vast array of pressure tactics which come up just short of a military confrontation,” Tavakoli commented.
Dirk Schrader from New Net Technologies explained that the scale of the damage being inflicted by ransomware, which he said is expected to top $20b in 2021 alone, should make stopping these attacks a top priority.
“The ever-growing dependence on digital technology will further increase this & the impact any ransomware case has on the society,” Schrader observed. “State-sponsored cyber-crime actors, or those actors who prefer a certain government or regime, will use their growing might to ‘support’ a certain policy position by that regime.
Addressing this complex should be a priority task for any government, where the difficulty is to find the right combination of enforcement & encouragement, given that cyber-security is still seen as cost not as an enabler of business resilience by many.”
Subsequent Ransom Demand
Arc Serve’s Pittaluga called the attack on Quanta & subsequent ransom demand on Apple a “cautionary tale” for other companies who themselves may have tightly secure networks but can be affected by flaws in the supply chain.
“To avoid a similar fate, companies should actively patch any vulnerabilities in their network, frequently back up data to a separate location offsite or in the cloud, and conduct threat analyses continuously,” he concluded.