Cyber Incident Victim: Acer Finance
Date:
May 2021
Location:
France
Summary
The Avaddon ransomware group compromised a France-based financial consultancy firm, stealing sensitive client and employee data including banking details, contracts, and personal correspondence. Attackers issued a 240-hour deadline for negotiation before leaking documents, threatened disruptive DDoS attacks if unpaid, and asserted encrypted files were irrecoverable without their proprietary tool. The gang substantiated claims by publishing proof such as employee IDs, contracts, and directory screenshots. This incident coincided with broader Avaddon campaigns targeting global entities across finance, government, and healthcare sectors, following recent warnings by international cybersecurity agencies.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 16, 2021, the Avaddon ransomware group publicly disclosed a cyberattack against France-based financial consultancy firm Acer Finance. The company, which provides investment management, risk analysis, financial planning, and advisory services to individuals, entrepreneurs, and institutional clients in France, suffered a breach resulting in the theft of sensitive corporate and client data. Avaddon ransomware operators claimed possession of extensive confidential information, including client financial records, employee personal data, banking details, internal correspondence, contractual agreements, payment forms, secretariat records, and licensing documentation. The attackers issued an ultimatum demanding communication within 240 hours (10 days) before initiating data leaks, while simultaneously threatening to deploy DDoS attacks against Acer Finance infrastructure if ransom demands were not met. The group emphasized that data recovery without their proprietary decryptor was impossible, indicating they had deployed ransomware encryption alongside the data exfiltration.
As proof of compromise, Avaddon published samples of stolen data on their leak site, including employee identification cards, personal documents, contracts, and directory screenshots showing folder structures containing exfiltrated information. The incident coincided with broader Avaddon ransomware operations targeting multiple sectors globally, as evidenced by coordinated alerts from the FBI and Australian Cyber Security Centre (ACSC) issued the preceding week. These advisories identified France among the primary targeted nations, with victim organizations spanning government, finance, energy, manufacturing, and healthcare sectors. While the specific ransom amount and Acer Finance's response remained undisclosed in available reporting, the breach exposed operational and client data whose disclosure could materially impact financial trust relationships. The attackers' concurrent claim of compromising AXA Asia's regional operations and exfiltrating three terabytes of data demonstrated parallel targeting of financial sector entities during this campaign period.