Acer

The REvil ransomware operation claims to have stolen unencrypted data after hacking electronics and computer giant Acer.

Yesterday, the ransomware gang announced on their data leak site that they had breached Acer and shared some images of allegedly stolen files as proof.

These leaked images are for documents that include financial spreadsheets, bank balances, and bank communications.

Acer data leak on REvil ransomware site
Acer data leak on REvil ransomware site

In response to BleepingComputer’s inquiries, Acer did not provide a clear answer regarding whether they suffered a REvil ransomware attack, saying instead that they “reported recent abnormal situations” to relevant LEAs and DPAs.

You can read their complete response below:

“Acer routinely monitors its IT systems, and most cyberattacks are well defensed. Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.”

“We have been continuously enhancing our cybersecurity infrastructure to protect business continuity and our information integrity. We urge all companies and organizations to adhere to cyber security disciplines and best practices, and be vigilant to any network activity abnormalities.” – Acer.

In requests for further details, Acer said “there is an ongoing investigation and for the sake of security, we are unable to comment on details.”

Possible Microsoft Exchange exploitation

Vitali Kremez told BleepingComputer that Advanced Intel’s Andariel cyberintelligence platform detected that the Revil gang recently targeted a Microsoft Exchange server on Acer’s domain.

“Advanced Intel’s Andariel cyberintelligence system detected that one particular REvil affiliate pursued Microsoft Exchange weaponization,” Kremez told BleepingComputer.

Andariel feed showing targeting of Acer Exchange Server
Andariel feed showing targeting of Acer Exchange Server

The threat actors behind the DearCry ransomware have already used the ProxyLogon vulnerability to deploy their ransomware but they are a smaller operation with fewer victims.

If REvil did exploit the recent Microsoft Exchange vulnerabilities to steal data or encrypt devices, it would be the first time one of the big game-hunting ransomware operations used this attack vector.