AMD targeted by RansomHouse, attackers claim to have '450Gb' in stolen data
Relative cybercrime newbies not clear on whether they're alleging to have gigabits or gigabytes of chip biz files
If claims hold true, AMD has been targeted by the extortion group RansomHouse, which says it is sitting on a trove of data stolen from the processor designer following an alleged security breach earlier this year.
RansomHouse says it obtained the files from an intrusion into AMD's network on January 5, 2022, and that this isn't material from a previous leak of its intellectual property.
This relatively new crew also says it doesn't breach the security of systems itself, nor develop or use ransomware. Instead, it acts as a "mediator" between attackers and victims to ensure payment is made for purloined data.
RansomHouse said on its Tor-hidden website that it was holding "450 Gb" – it's unclear whether the group actually means "gigabytes" or "gigabits" – and uploaded samples of the data. The material was stolen from AMD in January, according to the miscreants.
Online privacy specialist RestorePrivacy said in a blog post it had examined the sample of the data and that it includes network files, system information, and AMD passwords gathered in the alleged breach. According to the RansomHouse group, AMD used simple passwords to protect its network.
"An era of high-end technology, progress and top security … there's so much in these words for the crowds," the gang wrote on its site. "But it seems those are still just beautiful words when even technology giants like AMD use simple passwords like 'password' … to protect their networks from intrusion. It is a shame those are real passwords used by AMD employees, but a bigger shame to AMD Security Department which gets significant financing according to the documents we got our our [sic] hands on – all thanks to these passwords."
The cybercriminals also put AMD on a list of victims that they claim "either have considered their financial gain to be above the interests of their partners/individuals who have entrusted their data to them or have chosen to conceal the fact that they have been compromised."
RestorePrivacy suggested that might indicate AMD has yet to pay a ransom for the stolen data.
Infosec world watcher Catalin Cimpanu on Twitter noted RansomHouse's claim of not deploying ransomware and reckoned that "this might be a failed attack where someone is trying to monetize some stolen data. [RansomHouse] looks like someone who buys hacked data to extort companies instead."
Cimpanu also suggested the data "could be from an AMD partner, but RansomHouse might be trying to pass it as AMD's for more catchy media coverage. These groups often use this tactic to add pressure on a victim's upstream contractors. See REvil's Quanta incident, where they claimed it was Apple."
For example, AMD partner Gigabyte, a motherboard maker in Taiwan, was compromised in August 2021 by the ransomware group RansomEXX, which reportedly stole as much as 112GB of data.
Cimpanu wrote that there were rumors earlier this year that AMD was the victim of ransomware, though the whispers were never confirmed.
The Register has reached out to AMD for comment.
- Leaked stolen Nvidia key can sign Windows malware
- Data stolen from Nvidia, blueprints leak threatened
- Insurance giant Aon confirms it has suffered 'cyber incident'
- Conti ransomware gang leak: 60,000 messages online
RansomHouse is a relatively new player on the cybercrime scene, emerging in December 2021. According to RestorePrivacy, RansomHouse's first victim was the Saskatchewan Liquor and Gaming Authority. In total, the group lists six victims, including ShopRite, a large retail chain in Africa. RansomHouse earlier this month leaked data that was stolen from the biz.
Threat intelligence researchers at Malwarebytes Labs put RansomHouse in the category of "grey hats" – black hat hackers who have the potential to do good or white hats who take a step into the dark side while keeping one foot in the light. In a blog post late last month, they noted other security researchers suggested the extortion gang may be made up of white hats who are frustrated with the state of security and are punishing organizations for the lax defenses around their infrastructure.
The researchers claim RansomHouse enters networks by exploiting vulnerabilities to steal data and coerces victims to pay up, lest their data is sold to the highest bidder. And if no criminal is interested in buying the data, the group dumps it on their website.
That would contradict the group's claims that it merely acts as "professional mediators" between info-stealers and their victims.
Malwarebytes analysts also wrote that the gang is unique in how it extorts money from victims, marketing themselves, as Malwarebytes put it, "as penetration testers and bug bounty hunters more than your average online extortionist. After stealing data from targets, they offer to delete it and then provide a full report on what vulnerabilities they exploited and how."
As with ransomware crews, RansomHouse also have avenues – an account on Telegram and a leak site – to communicate with victims and others that want to track their activities.
Analysts at threat intelligence vendor Cyware in a blog post in May noted that RansomHouse may be "dissatisfied bug bounty hunters" and noted the group has been promoted by other gangs, including being mentioned in ransom notes from ransomware group White Rabbit and in Telegram posts by another ransomware group, Lapsus$.
"While experts believe that RansomHouse is not going to become a very successful gang in the near future, the launch of a new data exfiltration portal should be taken seriously," the Cyware researchers wrote. "While the techniques employed by the attackers may not work on every organization, the impact can still be severe depending on the nature of the stolen data." ®