Aurich Lawson
On the day Apple was due to announce a slew of new products at the Spring Loaded event, a leak appeared from an unexpected quarter. Notorious ransomware gang REvil said they stole data and schematics from Apple vendor Quanta Computer about unreleased products and would sell the data to the highest bidder if they didn’t get a $50 million payment. As proof, they released a cache of documents about upcoming unreleased MacBook Pros. They’ve been adding iMac schedules to the stack ever since.
The connection to Apple and the dramatic timing caused a stir about the attack. But it also reflects the confluence of some disturbing trends in ransomware. After years of refining their techniques for encrypting massive data to keep victims out of their own systems, criminal gangs are increasingly turning to data theft and extortion as the center of their attacks – and making dazzling demands in the process.
“Our team is negotiating with several major brands for the sale of large amounts of confidential drawings and gigabytes of personal data,” REvil wrote in its post about the stolen data. “We recommend that Apple buy back the available data before May 1.”
For years, ransomware attacks involved encryption of a victim’s files and a simple transaction: pay the money, get the decryption key. But some attackers also took a different approach: not only did they encrypt the files, but they also stole them first and threatened to leak them, adding extra leverage to secure payment. Even if victims were able to recover their compromised data from backups, they risked the attackers sharing their secrets with the entire Internet. And in recent years, prominent ransomware gangs like Maze have developed the approach. Today, recording extortion is increasingly the norm. And groups have even gone a step further, as is the case with REvil and Quanta, focusing entirely on data theft and extortion and not bothering to encrypt files at all. They’re thieves, not kidnappers.
“Data encryption is definitely becoming less of a part of ransomware attacks,” said Brett Callow, a threat analyst at antivirus firm Emsisoft. “In fact, ‘ransomware attack’ is probably a misnomer now. We are at a point where the threat actors are realizing that the data itself can be used in myriad ways.”
In the case of Quanta, attackers likely feel they are hitting a nerve, as Apple is notoriously secretive about intellectual property and new products in the pipeline. By hitting a supplier downstream in the supply chain, attackers give themselves more options over the companies they can extort. For example, Quanta also supplies Dell, HP and other major technology companies, so any breach of Quanta’s customer data would be potentially valuable to attackers. Attackers can also find softer targets if they look to third-party vendors who may not have as many resources to go to cybersecurity.
“Quanta Computer’s information security team has been working with outside IT experts in response to cyberattacks on a small number of Quanta servers,” the company said in a statement. It added that it is cooperating with law enforcement and data protection authorities “regarding recently observed abnormal activity. There is no material impact on the business of the company.”
Apple declined to comment.
“A few years ago we didn’t see much ransomware plus extortion at all, and now there’s an evolution all the way to extortion events,” said Jake Williams, founder of the cybersecurity firm Rendition Infosec. “As an incident responder, I can tell you that people have gotten better at responding to ransomware events. Organizations I work with today are more likely to be able to recover and avoid paying a ransom with traditional file encryption techniques.”
The $50 million question may seem extraordinary, but it also fits the recent ransomware trend of “big game” hunting. REvil reportedly transferred the same amount to Acer in March, and average ransomware demand reportedly doubled between 2019 and 2020. Large companies in particular have become a more popular target because they can potentially afford large payouts; it is a more efficient racket for a criminal group than collecting smaller payments from more victims. And attackers have already experimented with strategies to pressure extortion victims, such as contacting individuals or companies whose data may have been compromised in a breach and telling them to encourage a target to pay. Just this week, a ransomware group threatened to provide information to short sellers of listed companies.
A company like Apple would probably take the threat of intellectual property leaks seriously. But other organizations, particularly those that hold regulated customer personal information, have even more reason to pay if they believe it will help cover up an incident. A seven-figure ransom might seem appealing if disclosing a breach could lead to $2 million in regulatory fines under laws such as the European GDPR or the California Consumer Privacy Act.
“Even if Apple were to specifically pay or enforce through Quanta right now, that doesn’t necessarily mean it’s a reliable, repeatable model for attackers,” says Williams. “But there’s a very large number of organizations that have regulated data and the cost of their possible fines is quite predictable, so that may be more reliable and something that defenders should be concerned about.”
The potential for extortion attacks against suppliers in the supply chain increases the risks of any business. And given that organizations have historically often paid ransoms in secret, a force potentially pushing even more transactions in that direction will only increase the challenge of getting to grips with ransomware gangs. The Justice Department said on Wednesday it is launching a national task force to tackle the ever-growing threat of ransomware.
Given how aggressively ransomware has evolved – and on an international scale – they will have their hands more than full.
This story originally appeared on wired.com.