The latest roundtable discussion from Security on Screen analyses the recent cyber attack against Apple’s major supplier, Quanta, as well as ransomware payouts – should they be the last resort?

One of Apple’s major distribution suppliers, Quanta was hit by a cyber attack yesterday in an attempt to “recover data” after one fo the world’s most notorious hacking gangs, REvil, said it was attempting to extort both companies.

The Taiwanese company, which manufactures computers for Apple while and supplies companies such as Cisco, Microsoft and Siemens, said it had suffered “cyber attacks on a small number of Quanta servers” and was “conducting detailed investigation to ensure containment and recovery of data are in process.”

The hacking group, REvil said on its dark web site that it had compromised Quanta and was now extorting Apple. Typical to other ransomware gangs, REvil typically locks up the data or computer systems of its victims until it is paid off. In this instance, the group said Quanta had refused to co-operate with its demands and it was now asking Apple to pay a ransom by 1st May in exchange for not leaking their sensitive information.

“Our team is negotiating the scale of large quantities of confidential drawings and gigabytes of personal data with several major brands,” the REvil post added. It also shared copies of what appeared to be Apple product blueprints, though it is unclear whether these contained any confidential information. Meanwhile, Apple has declined to comment at this time.

Meeting demands

“…As with all ransom demands even if the demands are met, there are no guarantees that this data hasn’t been copied and could appear for sale in the future…”

Lewis Jones, Threat Intelligence Analyst, Talion

REvil had initially demanded $50m from Quanta who responded on Wednesday, saying there had been no material impact to its operations, and that “a small range of services” hit by the attacks had been restored. It has notified relevant law enforcement and data protection agencies, it said. 

According to Lewis Jones, Threat Intelligence Analyst at Talion: “REvil initially targeted Quanta Computer, who refused to negotiate with the group after REvil claimed to have stolen vast amounts of sensitive data from Quanta. They have a number of high-profile customers including Alienware, Lenovo, Cisco, and Microsoft, and it appears that the Ransomware gang will work through the list depending on the levels of information stolen for each customer.”

Jones continues: “So far, REvil already has a number of schematics and diagrams of MacBook components on its dark web leak site as part of their efforts to force Quanta to negotiate. REvil has become one of the most common ransomware-as-a-service (RaaS) operators and has made a number of high profile demands recently.

“Once a ransom payment is paid to REvil the core developers and the affiliates split the payment. However, as with all ransom demands even if the demands are met, there are no guarantees that this data hasn’t been copied and could appear for sale in the future. If REvil are unsuccessful in their negotiations with Apple it will be no surprise to see them try another client of Quanta.”

To pay or not to pay?

“Paying the ransom may seem like the obvious decision a business would make here, but there are other factors that the business needs to consider when making this decision…”

Niamh Muldoon, Global Data Protection Officer, OneLogin

Ransomware attacks have become increasingly prevalent as criminals have used cryptocurrencies such as bitcoin to collect payment without being tracked, and as a shift to remote working during the pandemic has left companies more vulnerable to attacks. Gangs of ransomware hackers made more than $350m in 2020, a 31% jump on the previous year, according to Chainalysis, though the true figure is likely to be higher given that many victims do not disclose attacks or payouts. 

“Paying the ransom may seem like the obvious decision a business would make here, but there are other factors that the business needs to consider when making this decision,” says Niamh Muldoon, Global Data Protection Officer at OneLogin. “It would be advised that they should start by analysing the three factors associated with the attack – the means, the motive, and opportunity. This can be accompanied by industry, economic and market conditions. Factoring three or four variables into this business decision will help support a business in making an informed decision on the possible impact to the business, including brand and reputational damage.”

Andy Norton, European Risk Officer at Armis agrees: “Paying a ransom should never be encouraged. This is just a desperate attempt of the REVil gang to extort money. The leak is from Quanta a supplier to Apple. Who appear to of already rejected the request to pay the ransom which is why REVil are now lobbying Apple to pay.

“The reality is, if any crooked organisation wants to reverse engineer and copy Apple products, go into an Apple store and buy one. It’s a lot cheaper than the price REVil are offering for the plans. In terms of dealing with personal data leaks, how could you possibly trust a criminal group not to later leak the data anyway? A payment would reek of a cover up attempt and possibly money laundering charges. The breach happens the second the data leaves the building and response actions have to be based around minimising the potential impact to victims that are in your control.”

Martin Jartelius, CSO at Outpost 24 also comments: “Paying the ransom does not guarantee that the attackers will not do anything with the data. As a matter of fact, the worst has already happened; the company’s reputation has been impacted and blueprints have reportedly already been published. Paying and dealing with the threat actors might therefore be the absolute last resort. Depending on the scale: Investigating the matter, informing customers in full, and making sure it does not ever happen again so starting from scratch might be the best way forward here.”

Ransomware recovery

“These groups which initially operated only by locking people out of their files have found that it can be even more lucrative to extort a ransom in exchange for not publishing leaked data…”

Paul Norris, Senior Systems Engineer, EMEA, Tripwire

REvil, which also goes by the name of Sodinokibi, is known for making some of the biggest demands to have been made public. Last month, it asked Acer for an initial $50m in return for its stolen data, before doubling the demand, according to news reports at the time.

“Groups like REvil have been wildly successful at monetising data exfiltrated from their victims,” says Paul Norris, Senior Systems Engineer EMEA at Tripwire. “These groups which initially operated only by locking people out of their files have found that it can be even more lucrative to extort a ransom in exchange for not publishing leaked data. In some cases, the groups claim to have organised sales to interested third parties when the original data owners refused to pay.”

Norris suggests: “Hardening a system helps reduce the attack surface and helps to safeguard the integrity of digital assets, protect against vulnerabilities and common security threats which may be leveraged as entry points. I hope that board rooms around the world are already discussing what data they hold and the impact of not only data loss but also data disclosure. This conversation must necessarily play a significant role in making sure that IT security is being properly handled.”

Jamie Ahktar, Co-founder and CEO at CyberSmart adds: “Ransomware attacks are among the fastest growing cyber threats (one report projected that 2021 will see companies fall victim to an attack every 11 seconds). The first and most important thing to do when you’ve been hit by an attack is to disconnect the infected device from your network immediately (that means turning off GPS, Bluetooth, WiFi, etc) and removing external hardware like USB sticks and SD cards. Next, you should make everyone else in the company aware of the attack with advice on how to identify and avoid the attack themselves.

He concludes: “The safest recovery method then is to wipe the device and restore its system and files using your backup data.This example of ‘double extortion’ ransomware is a worrying new trend, combining a ransomware infection with the threat of a data breach – A severe one for a very well-known brand in this case. The best advice for organisations remains: do not engage with the criminal elements who undertake ransomware campaigns; instead, ensure they have the appropriate defensive mechanisms in place.”