REvil's Big Apple Ransomware Gambit Looks to Pay Off

The REvil ransomware gang is known for audacious attacks on the world’s biggest organizations, and its demands for astronomical ransoms to match. But the gang’s latest squeeze on Apple just hours before its splashy new product launch was a bold move, even for the notorious ransomware-as-a-service gang.

The original attack was launched against Quanta, a Global Fortune 500 manufacturer of electronics, which claims Apple among its customers. The Taiwanese-based company was contracted to assemble Apple products, including Apple Watch, Apple Macbook Air and Pro, and ThinkPad, from an Apple-provided set of design schematics.

Download “The Evolution of Ransomware” to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!

REvil was able to breach the Quanta servers, steal the files and hold them for ransom, according to a statement posted on its dark web site—dubbed the “Happy Blog”—in which it said Quanta refused to pay the original ransom for the attack, according to a published report. Once Quanta refused to pay to get the files back, REvil started leaking a set of blueprints for some products to turn up the pressure, adding more would be leaked every day the ransom went unpaid.

In an added stroke of criminal ingenuity to ratchet up the pressure to pay, REvil decided to start leaking the ripped off files just hours before Apple’s Spring Loaded event on Tuesday, including schematics for some new iMacs it debuted there. The company took the wraps off a host of new products at the event.

“In order not to wait for the upcoming Apple presentations, today we, the REvil group, will provide data on the upcoming releases of the company so beloved by many,” according to REvil’s blog post, the report said. “Tim Cook can say thank you Quanta. From our side, a lot of time has been devoted to solving this problem.”

These events, formerly led by Apple founder Steve Jobs, have become integral to the brand, and are presented with big hype and fanfare from Cupertino.

Now REvil said it wants $50 million by May 1 from Apple to give the files back. Indeed, REvil is not known for messing around; if the group says it has documents from victims and it will post them, it generally will, given previous experience.

“The REvil ransomware gang doesn’t make false promises,” observed Ivan Pittaluga, CTO of enterprise security firm ArcServe, in an email to Threatpost. “They’re notoriously known for leaking data if their demands aren’t met.”

REvil’s Maximum Pressure on Apple

REvil clearly understood the significance of the leak’s timing. Recorded Future said someone claiming to be the group’s spokesperson hinted last Sunday on a forum the group was prepping for its “loudest attack ever.”

They delivered.

And REvil is definitely growing. Last fall the person claiming to be the group’s leader said it expected to make $100 million by the end of 2020. With a May 1 deadline for Apple to pay $50 million, it looks like the stakes have been ramped up substantially.

REvil operates a ransomware-as-a-service business, which offers material support to other “affiliates” who handle the technical details of the attack. REvil affiliates get 70 to 80 percent of the ransom. The affiliate partners must take care of the initial infection, wiping out backups and exfiltrating the files. REvil handles ransom negotiations, payment, delivery of the encryptor and develops the software, the REvil leader explained last fall.

REvil’s leader also teased a “big attack coming…linked to a very large video game developer” in last fall’s published interview.

An international-headline-grabbing caper against Apple would be just the kind of thing that might attract other would-be ransomware attackers to partner up with REvil, whose proof of concept is all over the news. Not only is this likely to provide a big payday, the Apple attack is turning out to be a publicity coup for their brand.

“It’s clear from these recent attacks that REvil has perfected its approach to extorting companies for large amounts of money with ease,” noted Chandra Basavanna, CEO of cybersecurity firm SecPod in an email to Threatpost.

Last month REvil, which has been on an attack frenzy lately, claimed to hit nine organizations across Africa, Europe, Mexico and the United States. Many of the documents the group said they stole in the attacks appeared upon review to be authentic, according to those who saw the documents.

The demand on Apple also isn’t the first time REvil has demanded such a hefty sum from a tech leader. Last month the group demanded $50 million in ransom from computer maker Acer.

Even if Apple doesn’t pay up, the cyberattack could lead to good financial things for REvil.

“Quanta was likely a target of opportunity and was likely pursued not because it would pay a large ransom, but because it held confidential data belonging to many of its customers and those customers could be extorted for ransoms,” Oliver Tavakoli, CTO at Vectra told Threatpost about REvil’s possible motivations. “Once the data had been extracted from Quanta Computer, the data was likely classified regarding its potential value and whether opportune dates loomed on the calendar which would help create more pressure on the target organization to pay. Apple met the criteria of deep pockets plus an upcoming product launch date.”

Growing tensions between the U.S. and Russia were probably a side benefit, Tavakoli added.

Tense U.S.-Russia Relations, a Ransomware Backdrop

REvil’s possible connection with the Russian government and its high-profile attack on America’s largest tech company should be viewed as another act of aggression by Vladimir Putin to send a signal to the new Biden Administration, according to Lior Div, CEO of Cybereason.

“This attack is a direct challenge to the Biden administration from Russia,” Div said in a statement provided to Threatpost. “When the largest U.S. supplier of consumer technology and products is hit by this type of attack, the message from Russia to Western companies and governments is loud and clear: We can control you.”

Apple’s attack follows the catastrophic Solar Winds breach, he pointed out, which the U.S. government has attributed to Russian-backed nation-state actors.

“Russia is telling the United States that it can steal our blueprints and our IP – and that these types of attacks will continue bigger than ever with higher ransom demands,” Div added. “Putin will use the plausible deniability excuse and claim that the hacking group associated with the attack is not connected to Moscow.”

As if almost on cue, the U.S. Department of Justice announced on April 21, the day following the Apple leaks, that it was launching a new ransomware task force, which will focus on “takedowns of servers used to spread ransomware to seizures of these criminal enterprises’ ill-gotten gains,” according to Acting Deputy Attorney General John Carlin who wrote in a memo announcing the move.

But it’s unclear how successful those efforts would be against groups like REvil.

Digital Shadows analyst and Russian-language underground forum expert Austin Merritt recently explained during a Threatpost roundtable event that even if there’s no state sponsorship directly, there is an operating agreement between these threat actor groups within Russia, like REvil, that they can conduct their operations from the country but need to direct their attacks outside Russian borders. He added that these groups can act with impunity against the West without fear of law enforcement or extradition, leaving them free to grow their operations.

Merritt added that Emotet was taken down only thanks to coordination with Ukraine, which not only has its own cybercrime task force, but coordinates enforcement with the West.

“I have made it a policy not to guess what goes on in Putin’s mind – but the fact that there would be tense relations between the Biden and Putin administrations was easy to predict, and each side is likely to deploy its vast array of pressure tactics which come up just short of a military confrontation,” Tavakoli said by email.

Regardless of motivations, Dirk Schrader from New Net Technologies told Threatpost that the scale of the damage being inflicted by ransomware, which he said is expected to top $20 billion in 2021 alone, should make stopping these attacks a top priority.

“The ever-growing dependence on digital technology will further increase this and the impact any ransomware case has on the society,” Schrader said. “State-sponsored cybercrime actors, or those actors who have a preference for a certain government or regime, will use their growing might to ‘support’ a certain policy position by that regime. Addressing this complex should be a priority task for any government, where the difficulty is to find the right combination of enforcement and encouragement, given that cybersecurity is still seen as cost not as an enabler of business resilience by many.”

ArcServe’s Pittaluga called the attack on Quanta and subsequent ransom demand on Apple a “cautionary tale” for other companies who themselves may have tightly secure networks but can be affected by flaws in the supply chain.

“To avoid a similar fate, companies should actively patch any vulnerabilities in their network, frequently back up data to a separate location offsite or in the cloud, and conduct threat analyses continuously,” he advised.

Elizabeth Montalbano contributed to this report.

Download our exclusive FREE Threatpost Insider eBook,“2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!