REvil Ransomware Attack on Quanta affects Apple
On April 20th, 2021, attackers used the well-known REvil ransomware group, sometimes referred to as Sodinokobi, to launch an attack on Quanta Computer, followed by a demand for $50 million USD by April 27, or $100 million USD after the countdown.
Apple a Huge Target for Ransomware Attack
Apple products are some of the most recognizable technology in the world, including the MacBook line, iPhone, iPad and iWatch, among many other products, that have gone beyond the simple need to connect, and have become status symbols due to their reliability, security and high cost. How big and powerful is Apple? In 2021, CompareCamp.com reported a few mind-bending statistics to show exactly where Apple sits in the market.
- In 2019 Apple announced a worldwide revenue of $260.2 billion, with a global value of $309.5 billion.
- In only Q1 of 2020, Apple had a revenue of $58.3 billion and a net profit of $11.25 billion.
- In March 2020 the iPhone was Apple’s best-selling product, with a revenue of $28.96 billion.
- In 2018, Apple made $2 billion in revenue per employee.r
- Forbes ranked Apple as the 6th largest public company in the world and the 2nd largest company worldwide in market capitalization.
Apple’s published supplier list includes only 200 of their top suppliers found in Japan, USA, China, Taiwan, Korea, Malaysia, Philippines, Singapore, India and across Europe – just to name a few. Taiwanese manufacturer Quanta Computer, is responsible for building many of Apple’s most recognizable products, including the MacBook line. In short, Apple is a massive target for Ransomware operators, and thus so is any company they work with.
On April 20, 2021, the same day as Apple’s “Spring Loaded” product release event, hackers on the darknet claimed to have stolen and published blueprints for several unreleased Apple products, with more data to be released to the public (and Apple competition) if an astronomical ransom wasn’t paid.
The Taiwanese Investigation Bureau, under the Ministry of Justice, is on the case but taking their sweet time, saying to Nikkei Asia:
"We are aware of an alleged cyber-attack involving Quanta and we are taking an initial step to look into and understand the nature of the incident. But we have not yet opened a case and launched an official probe."
Apple has remained typically silent, although we are sure of a buzz of activity internally, while Quanta released a press release saying:
"Quanta Computer's information security team has worked with external IT experts in response to cyber-attacks on a small number of Quanta servers. We've reported to, and kept seamless communications with, the relevant law enforcement and data protection authorities concerning recent abnormal activities observed. There's no material impact on the company's business operation."
Apple refuse to communicate with the REvil gang and pay the ransom. In the payment negotiation dialogue between the REvil ransomware group and Quanta Computer, REvil operators warn that if Quanta does not negotiate, "drawings of all Apple devices and all personal data of its employees and customers will be released."
Still receiving no response, REvil posted an Apple schematic on its data leak site, followed by a dozen more diagrams of known MacBook components. We can only assume that they are smart enough to hold the new product designs and schematics for return to Quanta Computer and Apple, or to publish or sell on the dark web to the highest bidder.
Impact of Apple & Quanta Ransomware Attack
Quanta Computer’s lapse in network security goes well beyond affecting Apple. We are sure that Quanta-adjacent companies like Dell, Alienware, Amazon.com, Cisco, Fujitsu, Lenovo, LG, Maxdata, Microsoft, MPC, BlackBerry Ltd, Sharp Corporation, Siemens AG, Sony, Toshiba, Verizon Wireless, and Vizio, are all at risk from the same REvil ransomware now that Quanta has been successfully breached.
REvil the “Apple” of the Ransomware Industry’s Eye
REvil (Sodinokibi), first appeared in April 2019, identified as a strain of GandCrab ransomware, which had already proven itself dangerous and successful. IBM’s Security X-Force Incident Response team reported that 1 in 3 ransomware attacks launched and mitigated by IBM in 2020 were the work of REvil ransomware operators.
REvil has adopted a ransomware-as-a-service (RaaS) operating model, known for stealing unencrypted data from encrypted devices, by recruiting "members" to collaboratively destroy the victim's network. After receiving the ransom, REvil core developers and affiliated companies share the payout, with affiliated “members” usually getting a larger share. IBM estimates that REvil has attacked at least 140 organizations since 2019, most of which operate in the wholesale, manufacturing, and professional services markets.
Sangfor Endpoint Secure Network Security Solution
Sangfor Endpoint Secure tracks the ransomware attack chain, providing comprehensive prevention, protection, detection and response.
Endpoint Secure proactively identifies vulnerabilities in the system through security baseline inspection, vulnerability detection and repair, and blocking ransomware from gaining a foothold in the system.
Endpoint Secure security capabilities include RDP blast detection, ransomware honeypot, and remote login protection, all combined with Sangfor’s other security solutions to conduct targeted countermeasures and deploy protection against common ransomware attack methods.
Endpoint Secure provides ransomware protection using real-time detection, network-wide threat location and hybrid network/cloud protection using Sangfor Engine Zero artificial intelligence malware detection engine to quickly locate, dispose of and block ransomware throughout the network. Sangfor reminds users daily that most ransomware files cannot be decrypted, and preventative network security measures are 100% necessary.
Sangfor Ransomware Prevention Best Practices
- Download patches and update systems and applications to repair common high-risk vulnerabilities
- Perform regular remote backup of important data as online backups can be encrypted by Ransomware
- Don't click on or download email attachments or software from unknown sources or websites
- Remove unnecessary file sharing permissions
- Regularly change account passwords and set strong password control policies for staff and end users
- If you do not need RDP for your business, turn off RDP and do not map RDP services directly to the external network
Sangfor Technologies
You may not think you are a target for ransomware, but if you work with other companies, you will certainly become a victim by proxy. REvil is often used to attack subsidiaries, manufacturers and suppliers for larger enterprises, finding organizations where network security is more lax, and their data just as valuable. Any enterprise working with or for other companies should be aware of the dangers of ransomware attack on any level, and to any adjacent 3rd party enterprise, as ransomware is designed to move laterally through the network, infecting everything it touches.
Sangfor Technologies is an APAC-based, global leading vendor of IT infrastructure solutions specializing in Network Security and Cloud Computing. Visit us at www.sangfor.com to learn more about Sangfor’s Security solutions and ransomware protection, and let Sangfor make your IT simpler, more secure and valuable.