{ "id": "3b61ff5c-22de-4d4e-bac7-1a43d8bafffa", "created_at": "2026-04-06T00:21:10.41092Z", "updated_at": "2026-04-10T13:12:17.625011Z", "deleted_at": null, "sha1_hash": "a4c0a0e20dde65fdc9e7919ae57e6f6f184ba192", "title": "Computer giant Acer hit by $50 million ransomware attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2158728, "plain_text": "Computer giant Acer hit by $50 million ransomware attack\r\nBy Lawrence Abrams\r\nPublished: 2021-03-19 · Archived: 2026-04-05 15:43:36 UTC\r\nComputer giant Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known\r\nransom to date, $50,000,000.\r\nAcer is a Taiwanese electronics and computer maker well-known for laptops, desktops, and monitors. Acer employs\r\napproximately 7,000 employees and earned $7.8 billion in 2019.\r\nYesterday, the ransomware gang announced on their data leak site that they had breached Acer and shared some images of\r\nallegedly stolen files as proof.\r\nhttps://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThese leaked images are for documents that include financial spreadsheets, bank balances, and bank communications.\r\nAcer data leak on REvil ransomware site\r\nIn response to BleepingComputer's inquiries, Acer did not provide a clear answer regarding whether they suffered a REvil\r\nransomware attack, saying instead that they \"reported recent abnormal situations\" to relevant LEAs and DPAs.\r\nYou can read their complete response below:\r\n\"Acer routinely monitors its IT systems, and most cyberattacks are well defensed. Companies like us are\r\nconstantly under attack, and we have reported recent abnormal situations observed to the relevant law\r\nenforcement and data protection authorities in multiple countries.\"\r\n\"We have been continuously enhancing our cybersecurity infrastructure to protect business continuity and our\r\ninformation integrity. We urge all companies and organizations to adhere to cyber security disciplines and best\r\npractices, and be vigilant to any network activity abnormalities.\" - Acer.\r\nIn requests for further details, Acer said \"there is an ongoing investigation and for the sake of security, we are unable to\r\ncomment on details.\"\r\nIf you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal\r\nat +16469613731 or on Wire at @lawrenceabrams-bc.\r\nHighest known ransom demand\r\nAfter publishing our story, Valery Marchive of LegMagIT discovered the REvil ransomware sample used in the Acer attack\r\nthat demanded a whopping $50 million ransom.\r\nSoon after, BleepingComputer found the sample and can confirm that based on the ransom note and the victim's\r\nconversation with the attackers, the sample is from the cyberattack on Acer.\r\nhttps://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/\r\nPage 3 of 5\n\nAcer ransom demand on Tor payment site\r\nIn conversations between the victim and REvil, which started on March 14th, the Acer representative showed shock at the\r\nmassive $50 million demand.\r\nLater in the chat, the REvil representative shared a link to the Acer data leak page, which was secret at the time.\r\nThe attackers also offered a 20% discount if payment was made by this past Wednesday. In return the ransomware gang\r\nwould provide a decryptor, a vulnerability report, and the deletion of stolen files.\r\nAt one point, the REvil operation offered a cryptic warning to Acer \"to not repeat the fate of the SolarWind.\"\r\nREvil's 50 million demand is the largest known ransom to date, with the previous being the $30 million ransom from the\r\nDairy Farm cyberattack, also by REvil.\r\nPossible Microsoft Exchange exploitation\r\nVitali Kremez told BleepingComputer that Advanced Intel's Andariel cyberintelligence platform detected that the Revil gang\r\nrecently targeted a Microsoft Exchange server on Acer's domain.\r\n\"Advanced Intel's Andariel cyberintelligence system detected that one particular REvil affiliate pursued Microsoft Exchange\r\nweaponization,\" Kremez told BleepingComputer.\r\nAndariel feed showing targeting of Acer Exchange Server\r\nThe threat actors behind the DearCry ransomware have already used the ProxyLogon vulnerability to deploy their\r\nransomware but they are a smaller operation with fewer victims.\r\nhttps://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/\r\nPage 4 of 5\n\nIf REvil did exploit the recent Microsoft Exchange vulnerabilities to steal data or encrypt devices, it would be the first time\r\none of the big game-hunting ransomware operations used this attack vector.\r\nUpdate 3/19/21 2:45PM: Updated with information from discovered Acer ransomware sample.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/\r\nhttps://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/" ], "report_names": [ "computer-giant-acer-hit-by-50-million-ransomware-attack" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434870, "ts_updated_at": 1775826737, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a4c0a0e20dde65fdc9e7919ae57e6f6f184ba192.pdf", "text": "https://archive.orkl.eu/a4c0a0e20dde65fdc9e7919ae57e6f6f184ba192.txt", "img": "https://archive.orkl.eu/a4c0a0e20dde65fdc9e7919ae57e6f6f184ba192.jpg" } }