REvil gang wants Apple to pay $50m in ransom in exchange of leaked product design data
The group claims it exfiltrated Apple product data after breaching Taiwanese supplier Quanta Computer
Apple supplier Quanta has reportedly fallen victim to a ransomware attack from the Russian hacking group REvil, which is now threatening to leak schematics for current and future Apple products unless it is paid $50 million (about £36 million) in ransom.
According to Bloomberg, the REvil operators claimed in a message posted on dark web portal that they were able to exfiltrate Apple product data after breaching the systems of Quanta Computer, a Taiwanese firm that makes MacBooks and other products for Apple based on pre-supplied product designs and schematics.
On 20th April, the group posted images from the stolen data, including schematics for Apple's just-revealed iMac redesign and manufacturing diagrams for Apple's 2020 M1 MacBook Air refresh.
The images were posted on a hacking forum after Quanta refused to pay the ransom in return of the data.
It appears that the group timed its extortion attempt to coincide with Apple's latest 'Spring Loaded' event.
REvil now wants Apple to pay the ransom by the beginning of May. It promised to continue to post new images from the stolen data daily until it receives $50 million from the iPhone maker. The gang also said that it was "negotiating the sale of large quantities of confidential drawings and gigabytes of personal data with several major brands".
"We recommend that Apple buy back the available data by May 1," it said.
Quanta confirmed the hacking incident to Bloomberg, saying it was working with law enforcement authorities and data protection authorities on the matter.
"Quanta Computer's information security team has worked with external IT experts in response to cyber attacks on a small number of Quanta servers," it noted.
The firm added that it does not expect any material business impact as a result of ransomware attack.
It is not the first ransomware attack against laptop makers from REvil. The group has carried out similar attacks on Acer and other firms in the past several months.
REvil, also known as Sodinokibi or Sodin, breaches companies networks using spam, exploits, exposed remote desktop services and hacked managed service providers (MSPs).
Like almost all other ransomware groups operating today, REvil also runs a ransomware-as-a-service (RaaS) operation, in which developers sell malware to affiliates who use it to encrypt the devices of the target organisations.
In an interview with Recorded Future expert Dmitry Smilyanets last month, a REvil representative, who uses the alias 'Unknown' on dark web forums, said that the business of ransomware (or cybercrime) has always been lucrative - and the group sees any corporate interest as fair game.
Commenting on the Quanta data leak, Jeff Sizemore, Chief Governance Officer, Egnyte said the breach that gave attackers access to Apple's confidential IP is concerning "given the secrecy of Apple when it comes to product designs and roll-outs".
"It's a disaster for the IT team responsible for file security and protecting data within the organisation," Sizemore added.
"Unfortunately, we see far too often that there are methods and tools being employed that don't meet the security and control needs of an organisation. Security is more than a checklist. The best solutions fit in a broader sense of governance but still make it easy to share files with anyone without compromising security and control.
"The reality is that all content is vulnerable without proper data governance, and it is imperative that organisations protect the data itself, not just the infrastructure that transports it.
"If secure file collaboration tools are implemented correctly, they can render cybercriminals' attacks useless. Used in a case like this where the adversaries were able to infiltrate the network and exfiltrate files, the files themselves would be inaccessible to outsiders, and the valuable IP would remain locked away."