The day Apple was about to announce a range of new products at its Spring Loaded event, a leak occurred from an unexpected quarter. Notorious ransomware gang REvil said it stole data and schematics from Apple supplier Quanta Computer about unreleased products and would sell the data to the highest bidder if they didn’t receive a payment of $ 50 million. As evidence, they released a cache of documents about upcoming, unreleased MacBook Pros. They have since added iMac schematics to the stack.
The connection with Apple and the dramatic timing caused a stir about the attack. But it also reflects the confluence of a number of disruptive trends in ransomware. After years of refining their bulk data encryption techniques to keep victims out of their own systems, criminal gangs are increasingly focusing on data theft and extortion as the core of their attacks – and making conspicuous demands in the process.
“Our team is negotiating with several major brands to sell large amounts of confidential drawings and gigabytes of personal data,” REvil wrote in his post about the stolen data. “We recommend that Apple buy back the available data by May 1st.”
For years, ransomware attacks involved encrypting a victim’s files and doing a simple transaction: pay the money, get the decryption key. However, some attackers tried a different approach: not only did they encrypt the files, they also stole them first and threatened to lose them, which added extra leverage to ensure payment. Even if victims were able to restore their affected data from backups, they run the risk of the attackers sharing their secrets with the entire Internet. And in recent years, prominent ransomware gangs like Maze have taken the approach. Blackmail is increasingly the norm today. And groups have even gone a step further, as is the case with REvil and Quanta. You’ve been completely focused on data theft and extortion, and you haven’t bothered to encrypt files at all. They are thieves, not kidnappers.
“Data encryption is definitely becoming less and less of a part of ransomware attacks,” said Brett Callow, threat analyst at antivirus firm Emsisoft. “In fact, ‘ransomware attack’ is now probably some kind of misnomer. We have come to a point where threat actors realize that the data itself can be used in a variety of ways. “
In the case of Quanta, attackers likely feel like they’ve hit a nerve as Apple is notoriously keeping intellectual property and new products in its pipeline a secret. By hitting a downstream vendor in the supply chain, attackers give themselves more options for the companies to blackmail them. For example, Quanta also supplies Dell, HP, and other large technology companies, so a breach of Quanta’s customer data would be potentially valuable to attackers. Attackers may also find softer targets when reaching out to third-party vendors who may not have the resources to break into cybersecurity.
“Quanta Computer’s information security team worked with outside IT experts to respond to cyber attacks on a small number of Quanta servers,” the company said in a statement. It added that it is working with law enforcement and data protection authorities “on the most recent abnormal activity observed. There is no material impact on the company’s business operations. “
Apple declined to comment.
“A few years ago we didn’t really see a lot of ransomware plus blackmail, and now there is a trend towards blackmail-only events,” said Jake Williams, founder of cybersecurity company Rendition Infosec. “As an incident responder, I can tell you that people are more responsive to ransomware incidents. Companies I work with today are more likely to recover and avoid paying a ransom using traditional file encryption techniques. “
The demand for $ 50 million may seem extraordinary, but it also fits in with the recent “big game hunting” ransomware trend. REvil reportedly gave Acer the same amount in March, and the average demand for ransomware reportedly doubled between 2019 and 2020. Large companies have become more popular destinations specifically because they can potentially afford large payouts. It’s a more efficient bat for a criminal group than cobbling together smaller payments from more victims. And attackers have already experimented with strategies to put pressure on blackmail victims, such as: B. contacting people or companies whose data could be affected by a breach and telling them to encourage a target to pay. As recently as this week, a ransomware group threatened to leak information to short sellers of publicly traded companies.
A company like Apple would probably take the risk of losing intellectual property seriously. However, other organizations, especially those that hold regulated customer personal data, have even more incentives to pay if they believe this is helping to cover up an incident. A seven-digit ransom might look appealing if disclosing a breach could result in fines of $ 2 million under laws like the European GDPR or California Consumer Law.
“Even if Apple would now specifically pay or force the payment through Quanta, this is not necessarily a reliable, repeatable model for attackers,” says Williams. “But there are a very large number of organizations that have regulated data and the cost of their potential fines are fairly predictable, so it may be more reliable and defenders should be concerned.”
The potential for blackmail attacks against supply chain providers increases the risks of any business. And since companies have often covertly paid ransom in the past, a force that may drive even more transactions in that direction will only add to the challenge of getting a grip on ransomware gangs. The Justice Department announced on Wednesday that it is establishing a national task force to address the ever-growing threat posed by ransomware.
Given the aggressive evolution of ransomware – and internationally – they will have more than their hands full.
This story originally appeared on wired.com.