Close this search box.

Apple heist explained: How blueprints were stolen in $50m ransomware attack


The daring attack disturbs the biggest element surrounding a new Apple product: its mystery and intrigue

From the outside, it was a typically adrenaline-filled, glitzy affair: the launch of a new line of iPads and iMacs.

But behind the scenes, Apple and one of its electronics manufacturing partners, Quanta, were grappling with how to respond to a US$50 million ransom demand and the theft and public broadcast of unreleased Apple product blueprints.

The REvil ransomware gang, also known as Sodinokibi, is a highly successful ransomware-as-a-service outfit believed to be based in Russia.

It is not afraid of going after high-profile targets: the group has previously stolen and released or sold sensitive data on Lady Gaga and Donald Trump, as well as global enterprises like Acer, Travelex and Honda.

But this is arguably the gang’s most ambitious play yet.

Last week, as Apple was taking the wraps off its new product lines, REvil’s operators were posting to their ironically named Happy Blog dark web site a taunting promise to “provide data on the upcoming releases of the company so beloved by many”.

“Tim Cook can say thank you Quanta,” they wrote.

By the time Apple’s highly-anticipated product launch was over, REvil had posted the internal designs for what appears to be a new iMac.

They also claim to have stolen design documents for unreleased Apple laptops and watches.

The group says it infiltrated the corporate network of Taiwan-based Quanta, a key parts supplier to Apple as well as many other big-name technology companies.

The announcement of the stolen blueprints was so timed because of Quanta’s refusal to pay the requested US$50 million ransom to recover its data, the hackers said.

The refusal prompted them to go after Quanta’s biggest customer instead.

Apple has now been given until May 1 to hand over the cash. New stolen files will continue to be posted until the ransom is paid, the hackers said.

“The REvil ransomware gang doesn’t make false promises,” Ivan Pittaluga, CTO of enterprise security firm ArcServe, told ThreatPost.

“They’re notoriously known for leaking data if their demands aren’t met.”

It appears to be the first time a ransomware gang has shifted its demands to a victim’s customer after being denied by their initial target.

“This is a new approach in the double extortion name-and-shame technique, where the threat actor engages with the affected third parties after the unsuccessful attempt to negotiate ransom with the primary victim,” Dmitry Smilyanets, Recorded Future threat intel analyst, told The Record.

Experts believe this could signal a new, emboldened era for REvil and its affiliates, and suggest more victims of the size and stature of Apple are likely.

The daring attack on Apple could signal a new, emboldened era for REvil and its affiliates, and suggest more victims of the size and stature of Apple are likely.

“We know that they are protected most likely by Russian intelligence or the Russian government, as are most ransomware groups, which has allowed them to flourish over the last 18 months,” Marc Bleicher of Arete Incident Response told CNBC.

“I think, you know, based on what we’ve seen so far, this may be just the tip of the iceberg.”

“To avoid a similar fate, companies should actively patch any vulnerabilities in their network, frequently back up data to a separate location offsite or in the cloud, and conduct threat analyses continuously,” ArcServe’s Pittaluga advised.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235


Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →



Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution



A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →