Apple Falls Victim to a Ransomware Gang’s Latest Tactics

Apple executives found out firsthand how it feels to have sensitive data held for ransom. Discover what happened and what you can learn from it.

Apple expected to be in the news a great deal in April 2021. That’s because its “Spring Loaded” event — an event showcasing its new and updated offerings — was scheduled for April 20. However, Apple also made headlines for another event that it didn’t anticipate. It received a demand for $50 million from a ransomware gang. Here is what happened and what you can learn from it.


The April Event That Apple Didn’t Plan On

In mid April, a ransomware gang named REvil broke into the network of Quanta Computer, an electronic device manufacturer that Apple uses to assemble some of its devices. Before encrypting Quanta’s files, the gang stole a lot of data, including the schematics and other proprietary data for several soon-to-be-released Apple products.

The REvil gang members demanded that Quanta pay $50 million for the decryption key and the safe return of all the stolen data. When Quanta didn’t pay up, the cybercriminals decided to up the ante in two ways. First, they started demanding $50 million from Apple as well as Quanta. Second, they threatened to sell the stolen documents to the highest bidder if Apple or Quanta did not pay the ransom by May 1.

To prove that it had the data, the REvil gang members posted more than 15 screenshots of MacBook and iMac schematics on in its leak site on April 20. They did this before the tech giant’s “Spring Loaded” event aired to further pressure Apple and Quanta into paying. “In order not to wait for the upcoming Apple presentations, today we, the REvil group, will provide data on the upcoming releases of the company so beloved by many,” said the gang.

Posting some of the stolen schematics got Apple’s and Quanta’s attention, prompting negotiations between REvil and Quanta. On April 22, REvil agreed to hide the leaked data and stop talking to reporters to allow the negotiations to continue, according to a chat session between the two groups. In that chat, REvil stated, “Having started a dialogue with us, you can count on a good discount.” REvil kept its promise and reduced the ransom to $20 million. The gang also extended the deadline to May 7.

The negotiations apparently hit a snag on April 24, when REvil again threatened to release more of the documents it had stolen. “If in the near future we do not receive answers from you, we [will] begin to publish drawings of the new iPad, new Apple logos,” said the gang. As of May 3, no new images have been posted and the previous screenshots are still hidden.


The Takeaways

We may find out if Quanta or Apple paid the ransom. Nevertheless, there are two important lessons you can learn from it.

The first takeaway is that ransomware gangs are focusing more on data theft and extortion these days and less on improving their data encryption techniques. “Data encryption is becoming less of a part of ransomware attacks for sure,” said an threat analyst at Emsisoft. “In fact, ‘ransomware attack’ is probably something of a misnomer now.”

Data theft and extortion was initially used by ransomware gangs to pressure businesses that were unwilling to pay up. The gangs stole companies’ files before encrypting them, threatening to publicly post the data on leak sites if their demands were not met. Cybercriminals quickly discovered that the fear of having data publicly exposed is an effective motivator in and of itself, especially if the stolen files contain proprietary business information or personal data.

While stealing proprietary business information for extortion is worrisome, security experts are more concerned about ransomware gangs stealing personal data for this purpose, especially if the data is regulated by laws such as the US Health Insurance Portability and Accountability Act (HIPAA) or the EU General Data Protection Regulation (GDPR). Companies experiencing the theft of regulated personal data might be more willing to pay the ransom to cover up the incident so they won’t have to incur regulatory fines and face other repercussions. Plus, numerous companies use and store regulated personal data, which means more potential targets for cybercriminals.

“Even if Apple specifically would pay or compel payment through Quanta now, that doesn’t necessarily make it a reliable, repeatable model for attackers,” explained a cybersecurity expert at Rendition Infosec. “But there’s a very large number of organizations that have regulated data, and the cost of their potential fines is fairly predictable, so that [model] may be more reliable [for attackers] — and the thing defenders should worry about.”

To make matters worse, some cybergangs are even going a step further these days, which brings us to the second takeaway: Ransomware gangs are increasingly using the data they stole during a ransomware attack for other extortion attempts. For example, a cybercriminal claiming to be a member of a “larger but undisclosed organized group that regularly steals data for the purpose of extracting ransom payments” stole thousands of patient records from a psychotherapy practice. The records contained patients’ personal data as well as transcripts of their therapy sessions. Initially, the gang member posted the data of 300 patients on a leak site to get the practice to pay the ransom. Later, the cybercriminal tried to blackmail individual patients directly. The gang member threatened to expose a patient’s records if he or she did not pay the ransom.

The REvil gang probably had multiple extortions in mind when it picked Quanta as a target, as this company has many high-profile customers. They include not only Apple but also Dell, HP, Lenovo, Microsoft, Sony, and Toshiba. “Quanta was likely a target of opportunity and was likely pursued not because it would pay a large ransom, but because it held confidential data belonging to many of its customers and those customers could be extorted for ransoms,” said a threat detection expert at Vectra.


Don’t Let Your Company’s Data Be Posted on a Leak Site

Ransomware gangs are continually adapting their tactics. Being aware of important changes is the first step in developing a plan to defend against the latest attacks. We can provide you with more information about these and other noteworthy changes in ransomware attacks so you can make sure that your business is protected.


Apple flickr photo by antmn shared under a Creative Commons (BY) license