Share this article on:
Semiconductor manufacturer AMD is investigating a cyber attack after the RansomHouse gang claimed to have stolen 450GB of data from the company last year.
RansomHouse, an extortion group, claims to have stolen 450GB of data from AMD, announcing on Telegram that they would be "selling the data for a well-known three-letter company that starts with the letter A". The extortion group also added AMD to their data leak site, claiming to have stolen 450GB of data.
According to Satnam Narang, senior staff research engineer at Tenable, there has been a renaissance of pure-play extortion groups in recent months.
"Despite its name, the RansomHouse group doesn't quite fit under the label of a ransomware group in the traditional sense.
"While the group does demand a ransom as part of their operations, it would appear that they don't distribute malicious software into victim organisations.
"They are considered to be a pure-play extortion group, which we've begun to see a renaissance of in recent months," Narang said.
In an interview with BleepingComputer, RansomHouse explained their "partners" breached AMD's network about a year ago.
RansomHouse has previously been linked to ransomware operations, such as White Rabbit, but a RansomHouse spokesperson stated that the group "do not encrypt devices" and "ransomware was not used on AMD". The RansomHouse spokesperson also disclosed that the group did not contact AMD with a ransom demand, as "selling the data to other entities or threat actors was more valuable".
"No, we haven't reached out to AMD as our partners consider it to be a waste of time: it will be more worth it to sell the data rather than wait for AMD representatives to react with a lot of bureaucracy involved," the RansomHouse representative told BleepingComputer.
RansomHouse claims that the stolen data includes research and financial information, which they say is being analysed to determine its value.
The threat actors have not provided any proof of this stolen data other than a few files containing information allegedly collected from AMD's Windows domain.
The data allegedly stolen includes a leaked CSV containing a list of over 70,000 devices that appear to belong to AMD's internal network, as well as an alleged list of AMD corporate credentials for users with weak passwords, such as "password", "P@ssw0rd", "amd!23", and "Welcome1".
AMD has confirmed it is aware of the RansomHouse claims and is currently investigating the incident.
While RansomHouse itself has claimed that they are neither behind breaches nor do they develop or utilise any ransomware as part of their efforts, Nerang at Tenable further explained that the group could be distancing itself from becoming a law enforcement target.
"Even with the success of double extortion, whereby ransomware groups encrypt files within a network and steal files and threaten to leak them on the dark web, the extortion factor appears to have become the central point amongst extortion groups like RansomHouse and Lapsus$.
"As the Conti ransomware group began to fold up its operations, part of its grand plans included splintering into several ransomware groups, including those that are extortion-focused like BlackByte and Karakurt.
"It’s hard to trust the word of the group, who may be trying to shield themselves from being lumped into a category of ransomware and becoming a bigger target through law enforcement operations," Nerang said.
Who is RansomHouse?
RansomHouse launched its operation in December 2021 when it leaked its first victim, Saskatchewan Liquor and Gaming Authority (SLGA).
While the extortion group claims not to use ransomware in their attacks, a White Rabbit ransomware note clearly shows that they are linked to ransomware groups.
Since December, RansomHouse added an additional five victims to their data leak site, including AMD.
One of these victims is Shoprite Holdings, Africa's largest supermarket chain, which confirmed a cyber attack on 10 June.
[Related: UTS and Sayres to provide training support to ADF]