Apple Targeted in Ransomware Attack on Quanta | Hackers Demand $50m

Ransomware attacks have been on the increase since the pandemic started in December 2019. In fact, several reports show that by the end of 2020, ransomware attacks had grown by at least 150%, and the average ransom demanded doubled to about $170000. Bad actors usually target companies with high revenue because of the potential for a big cashout. It has also become a trend to target large technology manufacturers. 

For example, in November 2020, Foxconn was targeted in a ransomware attack where the hackers responsible deleted terabytes of backup data from over a thousand encrypted servers. The attackers asked for $34 million before they would release the encrypted data. For context, Foxconn is the biggest electronics equipment manufacturer for companies like Amazon, Sony, Microsoft, and Apple. Earlier that month, hackers targeted another manufacturer (Compal) with a ransomware attack.

This just shows that large technology manufacturing companies are now at the risk of more sophisticated ransomware attacks. The most recent attack happened a few days to the end of April 2021. Quanta, a Taiwan-based company that produces laptops for big tech companies, including Apple, was hit with a ransomware attack that might cost Apple $50 million. 

What is Ransomware?

Ransomware is a form of malware (malicious software) that gains access to a computer and targets files or systems by encrypting them and rendering them inaccessible in a bid to make the company or owner pay for their release. From the word “ransom,” it is easy to understand the end goal of all ransomware attacks–to make the victim pay a ransom in exchange for the release of the hostage file(s) or system(s). Once the victim pays, the attackers release a decryption key that the victim uses to decrypt the encrypted file(s) or system(s). 

The first form of ransomware attack happened as far back as 1989. Since then, malicious entities have used the advancement in technology to perpetrate more sophisticated attacks. The evolution of ransomware has seen bad actors offering services such as Ransomware-as-a-Service (RaaS) to extend their network and capabilities. Mobile ransomware attacks are also becoming a thing now, and with the rate at which the use of Internet of Things technology is expanding, we are bound to see new attacks. 

REvil Hacker Group Targets Apple Through Quanta

On the 20th of April, 2021, as Apple was revealing its latest gadgets in its Spring Loaded event, one of the biggest laptop manufacturers in the world was hit by a ransomware attack perpetrated by a Russian hacker group known as REvil. Quanta manufactures MacBooks for Apple, along with other products. REvil, also known as Sodinokibi, showed evidence of its successful attack by posting the schematics of Apple’s latest products, including the already released 2020 M1 MacBook Air and the new iMac designs. 

A couple of days before the data leaks, a user with the username UNKN hinted on XSS (a popular cyber-crime forum) that a big announcement was coming, urging hackers to join the group. We believe that this user represents the REvil ransomware group tasked with announcing such news and recruiting new affiliates for its ransom-as-a-service program.

Quanta has acknowledged that the attack happened. It also said its security team is responding to the attack, but there is no significant impact on its business operation. In the company’s statement, Quanta said, “We’ve reported to and kept seamless communications with the relevant law enforcement and data protection authorities concerning recent abnormal activities observed. There’s no material impact on the company’s business operation.” It has since upgraded its cybersecurity infrastructure to prevent such from happening again.

These attackers demanded a sum of $50 million in exchange for the images, but Quanta has refused to pay, forcing them to reach out to the world’s most valuable company. It is why the REvil group released about 21 images of MacBook schematics on the same day as Apple’s Spring Loaded event; a statement that is not likely to go unnoticed. 

It has also threatened to release new data every day until Apple pays the ransom and has given an ultimatum of May 1. REvil revealed all this information through its “Happy Blog,” a site it uses to share its hacking exploits publicly. Apple has not released any statements regarding the attack and has not given any indication that it will pay the ransom. 

A History of REvil Hacker Group and Their Exploits

Sodinokibi, popularly known as REvil, has a reputation for its ransomware attacks. People in the information security space believe that this group is Russian-based because of its reluctance to attack Russian or state-owned companies. They also believe that it is an offshoot of a previous malicious group–GandCrab. GandCrab was as prolific as REvil is now, racking up about $2 billion in ransoms in almost two years. Around the same time GandCrab stopped operations, REvil started becoming prominent. 

Unlike most hacker groups, REvil operates a different model that allows it to make more money. It uses a Ransomware-as-a-Service (RaaS) model where it licenses malware to affiliates it trusts. It then takes a percent of the ransom if affiliates successfully carry out an attack. REvil also uses what is known as a double-extortion method to increase the chances of its victims paying the ransom. This means that after encrypting data, REvil also transfers what it can to its servers with a threat to sell it. 

If a company has backups, it might still need to pay a ransom if the malicious group has transferred sensitive information to its servers. There is also the possibility of using a DDoS attack on the same victim to increase the pressure and force them to pay the ransom. One begins to wonder why this group is doing all it can to raise funds. Is it to finance more lucrative attacks or just plain old greed?

Now, let’s take a look at some of the widespread attacks that this group carried out in the past. 

1. Texas Local Governments

In the early hours of August 16, 2019, REvil attacked 23 Texas local government agencies and requested a $2.5 million ransom. People working in these agencies had no access to files they usually had access to. It was a coordinated attack by REvil that took out the systems and websites of the agencies. Fortunately, REvil didn’t attack their backup systems, so they didn’t give in to the demands. After coordinating with several cybersecurity teams, these agencies were able to restore access to files and systems that the REvil group held to ransom.

2. Travelex

Travelex is a company that deals with foreign currency exchange around the world. It is very popular in airports as it eases the process of exchanging your local currency for another currency. On December 31, 2019, REvil gained access to Travelex’s network. This happened because Travelex used an outdated VPN and the REvil group took advantage of the vulnerabilities in the unpatched software. After infiltrating their network, REvil spread ransomware that took out Travelex’s entire network, demanding a $2.3 million ransom. 

Travelex didn’t disclose that they had suffered a ransomware attack. Instead, they said their systems were undergoing maintenance. Then, they secretly paid the ransom and restored access to their network and systems. Unfortunately for them, the truth made its way to the headlines, and they lost the public’s trust. It is one thing to be the victim of an attack due to terrible security policies, but to lie to your customers and the public about it is a grievous offense. Up till this moment, Travelex is still facing the consequences of its actions.

3. Grubman Shire Meiselas & Sacks

In May 2020, REvil gained access to more than 750 GB of private legal documents. Grubman Shire Meiselas and Sacks is a law firm representing several celebrities, including former US President Donald Trump. REvil initially set a ransom of $21 million but increased the amount after seeing Trump’s data. The law firm followed the FBI’s advice not to pay, and REvil auctioned the data on the Dark Web. 

Conclusion 

The increasing attacks on companies that produce hardware for top technology companies should be a cause of concern. It is evident that these companies are targeted for their links to giants in the technology industry. Attacks like these are reminders that companies should take cybersecurity as seriously as possible because the cost of setting up a proper defense against attacks is usually less than the cost of recovering assets.