Skip links

AMD targeted by RansomHouse, cybercrims claim to have ‘450Gb’ in stolen data

If claims hold true, AMD has been targeted by the extortion group RansomHouse, which says it is sitting on a trove of data stolen from the processor designer following an alleged security breach earlier this year.

RansomHouse says it obtained the files from an intrusion into AMD’s network on January 5, 2022, and that this isn’t data from a previous leak of its intellectual property.

This relatively new crew also says it doesn’t breach the security of systems itself or develop or use ransomware. Instead, it acts as a “mediator” between attackers and victims to ensure payment is made for the stolen data.

RansomHouse said on its Tor-hidden site that it was holding “450 Gb” – it’s unclear whether the group actually means “gigabytes” or “gigabits” – and posted samples of the data on the website. The data was stolen from AMD in January, according to the group.

Online privacy specialist RestorePrivacy said in a blog post it had examined the sample of the data and that it includes network files, system information, and AMD passwords gathered in the alleged breach. According to the RansomHouse group, AMD used simple passwords to protect its network.

“An era of high-end technology, progress and top security … there’s so much in these words for the crowds,” the gang wrote on its site. “But it seems those are still just beautiful words when even technology giants like AMD use simple passwords like ‘password’ … to protect their networks from intrusion. It is a shame those are real passwords used by AMD employees, but a bigger shame to AMD Security Department which gets significant financing according to the documents we got our our [sic] hands on – all thanks to these passwords.”

The cybercriminals also put AMD on a list of victims that they claim “either have considered their financial gain to be above the interests of their partners/individuals who have entrusted their data to them or have chosen to conceal the fact that they have been compromised.”

RestorePrivacy suggested that might indicate AMD has yet to pay a ransom for the stolen data.

Cybersecurity bod Catalin Cimpanu on Twitter noted RansomHouse’s claim of not deploying ransomware and wrote that “this might be a failed attack where someone is trying to monetize some stolen data. … [RansomHouse] looks like someone who buys hacked data to extort companies instead.”

Cimpanu also suggested that the data “could be from an AMD partner, but RansomHouse might be trying to pass it as AMD’s for more catchy media coverage. These groups often use this tactic to add pressure on a victim’s upstream contractors. See REvil’s Quanta incident, where they claimed it was Apple.”

For example, AMD partner Gigabyte, a hardware maker from Taiwan, was compromised in August 2021 by the ransomware group RansomEXX, which reportedly stole as much as 112GB of data.

Cimpanu wrote that there were rumors earlier this year that AMD was the victim of ransomware, though the rumors were never officially confirmed.

The Register has reached out to AMD for comment.

RansomHouse is a relatively new player on the cybercrime scene, first emerging in December 2021. According to RestorePrivacy, RansomHouse’s first victim was Saskatchewan Liquor and Gaming Authority. In total, the group lists six victims, including ShopRite, a large retail chain in Africa. RansomHouse earlier this month leaked data that was stolen from ShopRite.

Threat intelligence researchers at cybersecurity company Malwarebytes Labs put RansomHouse in the category of “grey hats” – black hat hackers who have the potential to do good or white hats who take a step into the dark side while keeping one foot in the light. In a blog post late last month, they noted that other security researchers suggested the extortion gang may be made up of frustrated white hats who are frustrated with the state of security and are punishing organizations for the lax security of their infrastructure.

The researchers wrote that RansomHouse enters networks by exploiting vulnerabilities to steal data and coerces victims to pay up, lest their data is sold to the highest bidder. And if no criminal is interested in buying the data, the group leaks it on their leak site.”

That would contradict the group’s claims that it merely acts as “professional mediators” between info-stealers and their victims.

Malwarebytes analysts also wrote that the gang is unique in how it extorts money from victims, marketing themselves “as penetration testers and bug bounty hunters more than your average online extortionist. After stealing data from targets, they offer to delete it and then provide a full report on what vulnerabilities they exploited and how.”

As with ransomware groups, RansomHouse also have avenues – an account on Telegram and a leak site – to communicate with victims and others that want to track their activities.

Analysts at threat intelligence vendor Cyware in a blog post in May noted that RansomHouse attackers may be “dissatisfied bug bounty hunters” and noted the group has been promoted by other gangs, including being mentioned in ransom notes from ransomware group White Rabbit and in Telegram posts by another ransomware group, Lapsus$.

“While experts believe that RansomHouse is not going to become a very successful gang in the near future, the launch of a new data exfiltration portal should be taken seriously,” the Cyware researchers wrote. “While the techniques employed by the attackers may not work on every organization, the impact can still be severe depending on the nature of the stolen data.” ®