Apple’s ransomware mess is the future of online extortion

On the day Apple was set to announce a slew of new products at its Spring Loaded event, a leak appeared from an unexpected quarter. The notorious ransomware gang REvil said they had stolen data and schematics from Apple supplier Quanta Computer about unreleased products and that they would sell the data to the highest bidder if they didn’t get a $50 million payment. As proof, they released a cache of documents about upcoming, unreleased MacBook Pros. They've since added iMac schematics to the pile.

The connection to Apple and dramatic timing generated buzz about the attack. But it also reflects the confluence of a number of disturbing trends in ransomware. After years of refining their mass data encryption techniques to lock victims out of their own systems, criminal gangs are increasingly focusing on data theft and extortion as the centerpiece of their attacks—and making eye-popping demands in the process.

“Our team is negotiating the sale of large quantities of confidential drawings and gigabytes of personal data with several major brands,” REvil wrote in its post of the stolen data. “We recommend that Apple buy back the available data by May 1.”

For years, ransomware attacks involved the encryption of a victim's files and a simple transaction: pay the money, get the decryption key. But some attackers also dabbled in another approach—not only did they encrypt the files, but they stole them first and threatened to leak them, adding additional leverage to ensure payment. Even if victims could recover their affected data from backups, they ran the risk that the attackers would share their secrets with the entire Internet. And in the past couple of years, prominent ransomware gangs like Maze have established the approach. Today incorporating extortion is increasingly the norm. And groups have even taken it a step further, as is the case with REvil and Quanta, focusing completely on data theft and extortion and not bothering to encrypt files at all. They're thieves, not captors.

“Data encryption is becoming less of a part of ransomware attacks for sure,” says Brett Callow, a threat analyst at the antivirus firm Emsisoft. “In fact ‘ransomware attack’ is probably something of a misnomer now. We’re at a point where the threat actors have realized that the data itself can be used in a myriad of ways.”

In the case of Quanta, attackers likely feel they hit a nerve, because Apple is notoriously secretive about intellectual property and new products in its pipeline. By hitting a vendor downstream in the supply chain, attackers give themselves more options about the companies they can extort. Quanta, for example, also supplies Dell, HP, and other large tech companies, so any breach of Quanta's customer data would be potentially valuable for attackers. Attackers also may find softer targets when they look to third-party suppliers who may not have as many resources to funnel into cybersecurity.

“Quanta Computer's information security team has worked with external IT experts in response to cyber attacks on a small number of Quanta servers,” the company said in a statement. It added that it is working with law enforcement and data protection authorities “concerning recent abnormal activities observed. There's no material impact on the company's business operation.”

Apple declined to comment.

“A couple of years ago, we didn’t really see much ransomware plus extortion at all, and now there's an evolution all the way to extortion-only events,” says Jake Williams, founder of the cybersecurity firm Rendition Infosec. “I can tell you as an incident responder that people have gotten better at responding to ransomware events. Organizations I work with are more likely today to be able to recover and avoid paying a ransom with traditional file-encryption techniques.”