This article is more than 1 year old

Ransomware masterminds claim to have nabbed 53GB of data from Intel's Habana Labs

Miscreants threaten to make files, source code public within 72 hours

The Pay2Key ransomware group on Sunday posted what appear to be details of internal files obtained from Habana Labs, an Israel-based chip startup acquired a year ago by Intel.

The hacking group, which has been linked to Iranians by security firm Check Point, published a screenshot of source code credited to Habana Labs via Twitter, alongside a link to a Tor Browser-accessible .onion address. The website contains file names associated with Habana Labs' Gerrit code collaboration software, DomainController data, and documents that appear to have come from the AI chipmaker.

As this story was being written, the @pay2key account was suspended for violating Twitter's rules.

The ReadMe file posted to the .onion website says Intel and Habana Labs have seventy-two hours to stop further leaks, which the unidentified author suggests may include Active Directory information and associated passwords, and the entirety of the company's Gerrit server, said to consist of 53GB worth of data.

Screenshot of directory from Pay2Key Habana Labs leak

Click to enlarge

Intel acquired Habana Labs, a maker of deep learning accelerator chips for data centers, for $2bn in December, 2019. The Santa Clara-based chipmaker declined to comment on the matter.

Check Point last month reported that the Pay2Key ransomware had not previously been seen. It said the name had been registered with cryptographic identity service in June and the ransomware started showing up in October.


'Malwareless' ransomware campaign operators pwned 83k victims' MySQL servers, 250k databases up for sale


Since then, the data abduction software has reportedly been used against at least three Israeli companies, according to Check Point, and at least one European company, according to Swascan.

Ransomware typically involves accessing a server without authorization, encrypting the files found, and then demanding a ransom payment for the decryption key. Payment does not guarantee decrypted files or any assurance those files have not been copied and made available elsewhere.

Check Point says the Pay2Key group conducts "double extortion" by threatening to decrypt files and release them publicly as a way to pressure victims into paying. The requested ransom payments to date have typically been between 7 and 9 Bitcoin, which presently translated to somewhere between $135K and $173K.

The reason Check Point believes the Pay2Key group consists of Iranians is that past ransom payments have gone through Excoino, an Iranian cryptocurrency exchange available to individuals with a valid Iranian phone number and an Iranian ID/Melli code. ®

More about


Send us news

Other stories you might like