Prolific criminal ransomware group REvil its trying to extort money from Apple, following a data-stealing cyberattack on one of its Mac suppliers. It wants Apple to pay an undisclosed sum by May 1 if it doesn’t want its proprietary data made public.
Quanta, one of Apple’s larger suppliers, confirmed Wednesday that it had been hit with a ransomware attack. The company said that it was doing its best to recover the missing data.
Classic ransomware attacks work by encrypting user files and systems, and only providing the decryption key after a ransom is paid. This is bad news — but it ultimately causes only inconvenience to the target. There is no data breach involved.
However, in recent years, a new kind of ransomware has taken off. In these attacks, data is both encrypted and exfiltrated from victims. This adds an extra urgency to paying a ransom, since it could lead to proprietary data being published online or given to rivals.
From the sound of things, it is this latter, more sophisticated ransomware attack that Quanta has been hit with.
Extorting Apple
In addition to Apple, Quanta carries out computer manufacturing for the likes of Cisco, Microsoft, and Siemens. A message from REvil, posted on the dark web, noted that:
“Our team is negotiating the sale of large quantities of confidential drawings and gigabytes of personal data with several major brands.”
Bloomberg notes that:
“By the time Apple’s [Tuesday] product launch was over, REvil had posted schematics for a new laptop, including 15 images detailing the guts of what appears to be a Macbook designed as recently as March 2021, according to the documents reviewed by Bloomberg … [Until Apple pays] the hackers will continue to post new files every day, REvil said on its blog.”
It is not 100% clear whether these blueprints contain confidential information about unreleased products. Chat logs seen by the Financial Times show REvil trying to extort $50 million from Quanta.
Last year, fellow MacBook maker Compal was hit with a $17 million extortion attempt. This also followed a ransomware attack.
