While this attack at Acer may be unique in that it targeted vulnerabilities in Microsoft Exchange to trigger a massive-scale attack, this won’t be the last time we see this vulnerability exploited. It’s easy for cybercriminals to perform these attacks, and there are a plethora of unpatched Microsoft Exchange servers, creating a lethal combination. That said, other companies can learn from Acer’s situation and prepare before they’re hit.  

There is nothing better than prevention, so it’s really important for businesses to implement solid cyber hygiene measures. This involves mitigating high-critical vulnerabilities by automating scanning and remediation processes. Not only does this paint an accurate picture of the attack surface at all times, but it reduces IT team fatigue and improves productivity. It’s also crucial that teams keep multiple copies of backups and encrypt confidential data so they can lean on them to restore systems and operations. Implementing good cyber hygiene isn’t a one and done exercise, either; IT security teams must continuously monitor for vulnerabilities and research different attack patterns so they can fully understand their level of risk. 

Ransomware attacks are a major source of income for cybercriminals with a huge reward for very little effort.  The $50 million demand is the highest currently known and whilst shocking only serves to demonstrate the potential that the perpetrators see in this form of attack.  Acer should not consider paying this Ransom as doing so would simply keep this as a viable business model.  It should also be noted that there is no guarantee that an organisation will be able to decrypt data after paying a ransom as ransomware does not go through strict quality control and often contains bugs that may prevent successful recovery.  It is more important than ever to conduct regular security assessments and ensure that the latest security patches are tested and deployed as soon as they are available.  Organisations should also consider the design of their environments to help prevent the spread of an attack should the worst happen.

We have also seen a trend in these large-scale attacks that is troubling. The compromise of Active Directory, which is the main nerve center of delivering services to employees and applications, is being used in every attack. 

Ransomware has become a global economic threat that impacts businesses of all sizes. Ransomware attackers are well resourced and equipped with sophisticated tools that used to be reserved for nation-state attackers. Many organisations are becoming victims like these universities, and are faced with difficult decisions on whether to pay or face disruption of operations. 

The situation is compounded by security defenders finding that they can no longer trust the software or security systems that they have historically relied on. A new approach to security architecture is desperately needed, though unfortunately, many security teams are not gaining the executive level support, resources, or budget to achieve it.

To stay protected, businesses must add layers of defense that include quickly detecting attacker lateral movement and privilege escalation. One of the fastest ways to better protect an organization is to obfuscate the attack surface with decoys and data concealment so that cybercriminals cannot find what they seek. A more sophisticated security posture would include adding in misdirections that channel the attackers own momentum against them, further disrupting their ability to succeed and deterring the attack.

As evidenced by the recent SITA breach impacting the travel industry, today’s cyber attackers have become increasingly sophisticated with their tactics, which have grown in complexity. This evolution has several reasons, including lengthy dwell time that attackers are leveraging for their massive attacks and supply chain weaknesses where software is explicitly trusted. 

Attackers are quietly exploiting these weaknesses to change policies and create backdoors. Traditional security defenses that rely on signatures, logs, and database lookups can’t sufficiently detect lateral movement or imposters using real employee credentials. Additionally, security infrastructure has failed to detect vulnerabilities and attacks on critical infrastructure such as Active Directory. However, by focusing more on lateral movement, credential theft, and privilege escalation, organizations can still mitigate the pervasiveness of these attacks until they establish greater security.

The reported Acer ransomware attack shows that attackers use multiple campaigns to discover security weaknesses and get a foothold into organizations. Human-operated attackers discover and compromise accounts with high privileges to move laterally and deploy ransomware organization-wide. Organizations can still get ahead of these attacks. Applying data cloaking and establishing a zero-trust architecture is critical for stopping attackers from getting deeper into the trust stack. By preventing attackers from discovering high privilege accounts in Active Directory and denying access to files, folders, or mapped network and cloud shares, attackers cannot locate or access the data they seek. This serves as a powerful defense against data theft and ransomware attacks.

There's still a lot of uncertainty about the extent of the attack on Acer. Not only did the REvil operation lockdown files, but they also clearly exfiltrated some portion of that data. Exfiltration before encryption is becoming increasingly popular because it gives victims two reasons to pony up the ransom: they need to both regain access to their files and attempt to prevent leaks of their data.

The part that's most disturbing about this incident, however, is the threat from the attackers that Acer could be the next SolarWinds. Encrypting files and exfiltrating data, even their source code, wouldn't allow them to perpetrate a SolarWinds-style supply chain attack. For that, they would need to have compromised Acer's build or update systems.

While that seems unlikely at this point, and is probably just a scare tactic to increase the odds of getting the ransom paid, the prospect of a multi-vector attack that involves encryption, exfiltration, and exploitation, is terrifying. It's a cyber attack hat trick.

In this case, Acer was able to spot the compromise of its systems fairly quickly, but for businesses that aren’t so fast the repercussions can be even more severe.

Protecting an organisation from the impact of any attack - including ransomware - comes down to ensuring security defences are up to date, appropriately configured and by making sure employee behaviour is driven towards best practices. Focusing on these areas will help to minimise the impact of the many security issues which are caused by gaps in basic IT hygiene. These weak points can be identified and fixed before a problem occurs if organisations have the correct level of visibility and control into the IT environment, but many don’t. 

In the aftermath of an attack, it is important to immediately start the process of damage control, to mitigate the impact as much as possible. Endpoint management tools can help with this by detecting unauthorised access to a company’s systems, as well as locating and managing sensitive data across endpoints to avoid future attacks.

The main questions that IT teams should be asking themselves when defending their organisation against attacks like the one Acer fell victim to is: Is everything patched? Are security tools up to date? Is there complete visibility of all endpoints within your perimeter? It can take many organization days, weeks and even months to complete a patching cycle or even to get reliable information about their software and hardware assets.  What they need is to be able to get visibility and be able to take action in minutes.  Also, another complexity is location: Now that everyone is working from home, can you apply the same visibility and protection to all of your employees - indeed, all of your assets - whatever their location? Having a strong strategy in place that covers these fundamental areas will go a long way towards protecting an organisation.

Ransomware is just another type of malware. It’s very important to employ multiple layers of security and monitoring controls in your environment to help prevent this type of exposure. Keeping virus signatures and patching up to date, as well as maintaining recent or real-time backups can also help limit the efficacy of this type of attack. 

Devaluing data is the best way to protect sensitive information in your storage resources, which may include personally identifiable information (PII), personal health information (PHI) or payment data for employees and customers. For long-term storage, tokenization is the most appropriate strategy to devalue PII, like Acer's financial details in this case. Tokenization substitutes each piece of PII with a pseudonym, such as a random string of numbers, that will be stored in the company’s storage resources instead of the PII itself. This “token” has no exploitable value for hackers.

Not only is it vital to employ multiple layers of security and monitoring controls in your environment to help prevent exposure to ransomware, it’s equally important that companies ensure that the data they are intaking and are storing is encrypted or tokenized. If not, hackers can leverage clear-text data to demand companies pay, or they will expose the data in what is being called a “double-extortion” scheme. It’s not enough to backup files anymore – and in the preliminary reports of the Acer ransomware attack, it is being reported that the leaked documents include financial spreadsheets, bank balances and more. All of these records could contain sensitive payment and PII data, which should be protected in these systems.

This was no doubt a meticulously planned attack which involved target research, professional hacking, and uncrackable encryption. As with the majority of ransomware attacks nowadays, this attack also involved data theft and the REvil gang has since taunted Acer on a message posted on a data leak website with images of stolen documents.

Fifty million dollars is a huge ransom demand, but when the victim is a high-profit business, then the world’s top ransomware gangs can afford to be cocky with their demands too.

As ransomware gangs continue to be more inventive with the types of data and businesses they target, this should serve as a lesson to all organisations to keep adequate technical defences in place to ensure cyber resilience – including threat intelligence technologies, up-to-date software, and operating systems and proper employee education. Businesses should also have a good backup strategy, data recovery, and roll-back plans in place to alleviate the impact of any data loss.

Ransomware is no longer just about encrypting files but also stealing the data making it a multifunctional weapon. If a company has a solid backup to restore systems then the criminal gang can threaten to disclose damaging data that could directly impact the stock price, brand, employees, and potential customers.

What we are seeing with ransomware is that cybercriminals continue to abuse privileged access which enables them to steal sensitive data and deploy malicious ransomware. This means that organizations should prioritize privileged access as a top security measure to reduce the risks of ransomware and ensure strong access controls and encryption for sensitive data.

Companies must take ransomware very seriously as it will continue to be the biggest cyber threats, and as we can see from this eye-wateringly high ransom demand - the price you pay for not being prepared is on the rise. It only takes one employee with local admin privileges clicking on a malicious email attachment to take down an entire company.”