The ransomware gang announced on its data leak site that it had breached Acer with proof that it had nicked some files. The leaked images included financial spreadsheets, bank balances, and bank communications.
At the moment Acer has not said much and publically is not concerned. In a statement the outfit said: "Acer routinely monitors its IT systems, and most cyberattacks are well defended. Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries. We have been continuously enhancing our cybersecurity infrastructure to protect business continuity and our information integrity. We urge all companies and organiSations to adhere to cyber security disciplines and best practices, and be vigilant to any network activity abnormalities."
However, it did say that there was an ongoing investigation and for the sake of security and it was going to shut up about the attacks now.
Valery Marchive of LegMagIT discovered the REvil ransomware sample used in the Acer attack that demanded a whopping $50 million ransom.
The attackers also offered a 20 percent discount if payment was made by this past Wednesday. In return the ransomware gang would provide a decryptor, a vulnerability report, and the deletion of stolen files.
At one point, the REvil operation offered a cryptic warning to Acer "to not repeat the fate of the SolarWind".
REvil's $50 million demand is the largest known ransom to date, with the previous being the $30 million ransom from the Dairy Farm cyberattack, also by REvil.
Vitali Kremez told BleepingComputer that Advanced Intel's Andariel cyber intelligence platform detected that the Revil gang recently targeted a Microsoft Exchange server on Acer's domain.
"Advanced Intel's Andariel cyberintelligence system detected that one particular REvil affiliate pursued Microsoft Exchange weaponization", Kremez told BleepingComputer.
The threat actors behind the DearCry ransomware have already used the ProxyLogon vulnerability to deploy their ransomware but they are a smaller operation with fewer victims.
If REvil did exploit the recent Microsoft Exchange vulnerabilities to steal data or encrypt devices, it would be the first time one of the big game-hunting ransomware operations used this attack vector.