Following news today that Apple was targeted in a ransomware attack carried out by REvil – with a key Apple supplier in Taiwan being sent threats around stolen blueprints of new iPads and iMacs – please find below commentary from security expert.
<p>Ransomware attacks are among the fastest growing cyber threats (one report projected that 2021 will see companies fall victim to an attack every 11 seconds). The first and most important thing to do when you\’ve been hit by an attack is to disconnect the infected device from your network immediately (that means turning off GPS, Bluetooth, WiFi, etc) and removing external hardware like USB sticks and SD cards. Next, you should make everyone else in the company aware of the attack with advice on how to identify and avoid the attack themselves. The safest recovery method then is to wipe the device and restore its system and files using your backup data. This example of \’double extortion\’ ransomware is a worrying new trend, combining a ransomware infection with the threat of a data breach – A severe one for a very well-known brand in this case. The best advice for organisations remains: do not engage with the criminal elements who undertake ransomware campaigns; instead, ensure they have the appropriate defensive mechanisms in place.</p>
<p>Paying a ransom should never be encouraged. This is just a desperate attempt of the REVil gang to extort money. The leak is from Quanta a supplier to Apple. Who appear to of already rejected the request to pay the ransom which is why REVil are now lobbying Apple to pay. The reality is, if any crooked organisation wants to reverse engineer and copy Apple products, go into an Apple store and buy one. It’s a lot cheaper than the price REVil are offering for the plans. </p> <p> </p> <p>In terms of dealing with personal data leaks, how could you possibly trust a criminal group not to later leak the data anyway.</p> <p> </p> <p>A payment would reek of a cover up attempt and possibly money laundering charges. The breach happens the second the data leaves the building and response actions have to be based around minimising the potential impact to victims that are in your control.</p>
Last edited 2 years ago by Andy Norton
Niamh Muldoon , Senior Director of Trust and Security EMEA
April 22, 2021 4:51 pm
<p>Paying the ransom may seem like the obvious decision a business would make here, but there are other factors that the business needs to consider when making this decision. It would be advised that they should start by analysing the three factors associated with the attack – the means, the motive, and opportunity. This can be accompanied by industry, economic and market conditions. Factoring three or four variables into this business decision will help support a business in making an informed decision on the possible impact to the business, including brand and reputational damage.</p> <p> </p> <p>Out of all the various types of cyber-crime activities, ransomware is the one activity that has a high direct return of investment associated with it. As the victims’ data is being held ransom for financial payment, the attackers are motivated to execute these types of attacks. Taking the global economic environment and current market conditions into consideration cyber criminals will of course continue to focus on this revenue generating stream during 2021, so careful consideration is needed to all input factors for this decision.</p>
<p>REvil initially targeted Quanta Computer, one of Apple\’s business partners, who refused to negotiate with the group after REvil claimed to have stolen vast amounts of sensitive date from Quanta. Quanta have a number of high profile customers including Alienware, Lenovo, Cisco, and Microsoft, and it appears that the Ransomware gang will work through the list depending on the levels of information stolen for each customer. So far, REvil already has a number of schematics and diagrams of MacBook components on its dark web leak site as part of their efforts to force Quanta to negotiate.</p> <p> </p> <p>REvil has become one of the most common ransomware-as-a-service (RaaS) operators and has made a number of high profile demands recently.</p> <p> </p> <p>Once a ransom payment is paid to REvil the core developers and the affiliates split the payment. However, as with all ransom demands even if the demands are met, there are no guarantees that this data hasn’t been copied and could appear for sale in the future. If REvil are unsuccessful in their negotiations with Apple it will be no surprise to see them try another client of Quanta.</p>
<p><strong>What is </strong><strong>REvil</strong><strong>?</strong> </p> <p> </p> <p>The REvil (also known as Sodin or Sodinokibi) ransomware has been known since 2019 and it can both encrypt data and steal it. It is distributed on specialised forums ‘by subscription’ (ransomware-as-<wbr />a-service). Thus, two groups of attackers are involved in the attack: the first finds a breach in the protection of the organisation and injects REvil there and the second creates the malware. After encryption or data theft, a ransom is demanded from the victim. And if successful, it is divided between these groups. An interesting feature is that the malware does not start if certain languages are detected when checking the system language and existing keyboard layouts (this is a large set of dozens of layouts), including Russian. </p> <p> </p> <p><strong>How real is the threat made by the actors?</strong> </p> <p> </p> <p>The threat is real and this is not the first high-profile incident that has used this malware. </p> <p> </p> <p><strong>What should Apple do in this situation? And how can they protect themselves if contractors are so easily hacked?</strong> </p> <p> </p> <p>Unfortunately, purely technical protection measures are not enough – the contractor\’s protection perimeter is under their jurisdiction. Manufacturers are left to impose strict information security requirements for their suppliers, as well as, for example, imposing legal sanctions for such violations. </p> <p> </p> <p><strong>How can information security services help in this case? Is the main task of information security teams to prevent such attacks?</strong> </p> <p> </p> <p>The main task is to prevent the occurrence of such attacks in the future. In the aftermath of such attacks, it is important to conduct a comprehensive investigation of the incident, draw conclusions about the current vulnerabilities and fix them (remove excessive use of RDP, especially without a VPN, and reduce the attack surface). Also, in our opinion, it is important to put in place effective monitoring, and to have an action plan in case such attacks occur. </p> <p> </p> <p><strong>Is this attack unique? How do you think it may affect the info security world?</strong> </p> <p> </p> <p>Targeted ransomware attacks on large companies have become quite common, especially over the past few years. One specific attack, even on an organisation known worldwide, will not change the way things are operated. But we hope that the reaction to this trend will include the introduction of information security events monitoring; complex cybersecurity systems, including for proactive detection of attacks; and enhanced training of employees around cybersecurity rules. </p>
<p>Ransomware attacks are among the fastest growing cyber threats (one report projected that 2021 will see companies fall victim to an attack every 11 seconds). The first and most important thing to do when you\’ve been hit by an attack is to disconnect the infected device from your network immediately (that means turning off GPS, Bluetooth, WiFi, etc) and removing external hardware like USB sticks and SD cards. Next, you should make everyone else in the company aware of the attack with advice on how to identify and avoid the attack themselves. The safest recovery method then is to wipe the device and restore its system and files using your backup data. This example of \’double extortion\’ ransomware is a worrying new trend, combining a ransomware infection with the threat of a data breach – A severe one for a very well-known brand in this case. The best advice for organisations remains: do not engage with the criminal elements who undertake ransomware campaigns; instead, ensure they have the appropriate defensive mechanisms in place.</p>
<p>Paying a ransom should never be encouraged. This is just a desperate attempt of the REVil gang to extort money. The leak is from Quanta a supplier to Apple. Who appear to of already rejected the request to pay the ransom which is why REVil are now lobbying Apple to pay. The reality is, if any crooked organisation wants to reverse engineer and copy Apple products, go into an Apple store and buy one. It’s a lot cheaper than the price REVil are offering for the plans. </p> <p> </p> <p>In terms of dealing with personal data leaks, how could you possibly trust a criminal group not to later leak the data anyway.</p> <p> </p> <p>A payment would reek of a cover up attempt and possibly money laundering charges. The breach happens the second the data leaves the building and response actions have to be based around minimising the potential impact to victims that are in your control.</p>
<p>Paying the ransom may seem like the obvious decision a business would make here, but there are other factors that the business needs to consider when making this decision. It would be advised that they should start by analysing the three factors associated with the attack – the means, the motive, and opportunity. This can be accompanied by industry, economic and market conditions. Factoring three or four variables into this business decision will help support a business in making an informed decision on the possible impact to the business, including brand and reputational damage.</p> <p> </p> <p>Out of all the various types of cyber-crime activities, ransomware is the one activity that has a high direct return of investment associated with it. As the victims’ data is being held ransom for financial payment, the attackers are motivated to execute these types of attacks. Taking the global economic environment and current market conditions into consideration cyber criminals will of course continue to focus on this revenue generating stream during 2021, so careful consideration is needed to all input factors for this decision.</p>
<p>REvil initially targeted Quanta Computer, one of Apple\’s business partners, who refused to negotiate with the group after REvil claimed to have stolen vast amounts of sensitive date from Quanta. Quanta have a number of high profile customers including Alienware, Lenovo, Cisco, and Microsoft, and it appears that the Ransomware gang will work through the list depending on the levels of information stolen for each customer. So far, REvil already has a number of schematics and diagrams of MacBook components on its dark web leak site as part of their efforts to force Quanta to negotiate.</p> <p> </p> <p>REvil has become one of the most common ransomware-as-a-service (RaaS) operators and has made a number of high profile demands recently.</p> <p> </p> <p>Once a ransom payment is paid to REvil the core developers and the affiliates split the payment. However, as with all ransom demands even if the demands are met, there are no guarantees that this data hasn’t been copied and could appear for sale in the future. If REvil are unsuccessful in their negotiations with Apple it will be no surprise to see them try another client of Quanta.</p>
<p><strong>What is </strong><strong>REvil</strong><strong>?</strong> </p> <p> </p> <p>The REvil (also known as Sodin or Sodinokibi) ransomware has been known since 2019 and it can both encrypt data and steal it. It is distributed on specialised forums ‘by subscription’ (ransomware-as-<wbr />a-service). Thus, two groups of attackers are involved in the attack: the first finds a breach in the protection of the organisation and injects REvil there and the second creates the malware. After encryption or data theft, a ransom is demanded from the victim. And if successful, it is divided between these groups. An interesting feature is that the malware does not start if certain languages are detected when checking the system language and existing keyboard layouts (this is a large set of dozens of layouts), including Russian. </p> <p> </p> <p><strong>How real is the threat made by the actors?</strong> </p> <p> </p> <p>The threat is real and this is not the first high-profile incident that has used this malware. </p> <p> </p> <p><strong>What should Apple do in this situation? And how can they protect themselves if contractors are so easily hacked?</strong> </p> <p> </p> <p>Unfortunately, purely technical protection measures are not enough – the contractor\’s protection perimeter is under their jurisdiction. Manufacturers are left to impose strict information security requirements for their suppliers, as well as, for example, imposing legal sanctions for such violations. </p> <p> </p> <p><strong>How can information security services help in this case? Is the main task of information security teams to prevent such attacks?</strong> </p> <p> </p> <p>The main task is to prevent the occurrence of such attacks in the future. In the aftermath of such attacks, it is important to conduct a comprehensive investigation of the incident, draw conclusions about the current vulnerabilities and fix them (remove excessive use of RDP, especially without a VPN, and reduce the attack surface). Also, in our opinion, it is important to put in place effective monitoring, and to have an action plan in case such attacks occur. </p> <p> </p> <p><strong>Is this attack unique? How do you think it may affect the info security world?</strong> </p> <p> </p> <p>Targeted ransomware attacks on large companies have become quite common, especially over the past few years. One specific attack, even on an organisation known worldwide, will not change the way things are operated. But we hope that the reaction to this trend will include the introduction of information security events monitoring; complex cybersecurity systems, including for proactive detection of attacks; and enhanced training of employees around cybersecurity rules. </p>