To the day Apple was about to announce a large number of new products at its Spring Loaded event, a leak appeared from an unexpected neighborhood. The notorious REvil ransomware gang said they had stolen data and schematics from vendor Apple Quanta Computer on new products, and that they would sell the data to the highest bidder if they didn’t get a $ 50 million payout. As proof, they have published a cache of documents on upcoming and unpublished MacBook Pros. They’ve since added iMac schematics to the stack.
The connection to Apple and the dramatic timing generated a buzz around the attack. But it also reflects the confluence of a number of disturbing trends in ransomware. After years of refining With their mass data encryption techniques to exclude victims from their own systems, criminal gangs are increasingly focusing on data theft and extortion as the centerpiece of their attacks – and making booming demands in the field. process.
“Our team is negotiating the sale of large amounts of confidential designs and gigabytes of personal data with several major brands,” REvil wrote in its stolen data post. “We recommend that Apple repurchase the available data by May 1.”
For years, ransomware attacks involved encrypting a victim’s files and a simple transaction: pay the money, get the decryption key. But some attackers also tried another approach: not only did they encrypt the files, they stole them first and threatened to disclose them, adding additional leverage to secure payment. Even if victims could recover their affected data from backups, they ran the risk that attackers would share their secrets with the whole internet. And over the past couple of years, prominent ransomware gangs like Maze have established the approach. Today, the incorporation of extortion is more and more the norm. And groups have even gone further, as is the case with REvil and Quanta, focusing entirely on data theft and extortion and not bothering to encrypt files at all. They are thieves, not kidnappers.
“Data encryption is less and less of a ransomware attack,” said Brett Callow, threat analyst at anti-virus company Emsisoft. “In fact, ‘ransomware attack’ is probably a misnomer now. We are at a point where threat actors have realized that the data itself can be used in multiple ways. “
In the case of Quanta, attackers probably feel like they’re hitting a nerve, as Apple is notoriously secretive about intellectual property and new products in its pipeline. By hitting a supplier down the supply chain, attackers give themselves more options over which companies they can extort. A Quanta, for example, also supplies Dell, HP, and other big tech companies, so any breach of Quanta’s customer data would be potentially valuable to attackers. Attackers can also find more flexible targets when they turn to third-party vendors who don’t have as many resources to step into cybersecurity.
“Quanta Computer’s information security team has worked with external IT experts in response to cyber attacks on a small number of Quanta servers,” the company said in a statement. He added that he was working with law enforcement and data protection authorities “regarding the recent abnormal activity observed. There is no significant impact on the company’s business activities. “
Apple declined to comment.
“A few years ago we didn’t really see a lot of ransomware and extortion, and now there’s an evolution to extortion-only events,” says Jake Williams, founder of the cybersecurity firm Infosec rendering. “As an incident responder, I can tell you that people have improved in responding to ransomware events. The organizations I work with are more likely today to be able to recover and avoid paying ransom using traditional file encryption techniques. “