Apple product images were stolen on the eve of the launch, and the REvil ransom gang demanded sky-high ransoms

At 10:00 a.m. PDT on April 20 (1:00 a.m. Beijing time on April 21), Apple held a special event for its spring conference with the theme of “Spring Loaded”.

A few hours later, the relevant US media revealed that the REvil ransomware gang had stolen Apple’s product blueprints and demanded that Apple pay the ransom before May 1, otherwise they would negotiate with several major brands to sell a large number of confidential drawings and gigabytes of personal data”.

The data breach stemmed from a ransomware attack on Taiwan-based Quanta, the maker of the Apple Watch, Apple Macbook Air and Apple Macbook Pro. After the attack, the REvil ransomware gang first demanded $50 million from Quanta Computer by April 27, or $100 million after the countdown ended.

  Apple product images were stolen on the eve of the launch, and the REvil ransom gang demanded sky-high ransoms

However, the company refused to communicate with the extortion gang and also refused to pay the extortion money.

As seen in the payment negotiation conversation between the REvil ransomware gang and Quanta Computer, REvil warned that if Quanta Computer did not begin negotiating the ransom, “drawings of all Apple devices and all personal data of its employees and customers will be released” .

Still without a response, REvil posted schematics on its data leak site. At present, REvil has published schematic diagrams of more than a dozen MacBook components on its dark web data leak site, but there is no indication that they are new products from Apple.


On the one hand, as a global-scale original design manufacturer of laptops, not only Quanta computers were subjected to ransomware attacks, but Compal was also attacked by DoppelPaymer ransomware last year. And attacks from the supply chain put more customers at risk. For example, Quanta Computer has many well-known customers, including Apple, Dell, Hewlett-Packard, Alienware, Lenovo, Cisco and Microsoft…

Note: REvil operates on a ransomware-as-a-service (RaaS) model, and is known for stealing unencrypted data and encrypted devices by recruiting “affiliates” to collaboratively disrupt victim networks. After getting the ransom, REvil core developers and affiliates split the ransom, with affiliates usually getting a larger share.


The Links:   MCC26-14IO1B AA104VC10

Scroll to top