Taiwan's Gigabyte Ransomware Attackers Threaten Data LeakRansomEXX Gang Claims It Stole Sensitive Data
The RansomEXX gang reportedly hit Taiwan-based computer hardware maker Gigabyte last week with a ransomware attack that temporarily shut down its website and other internal services, reports The Record. The attackers have now threatened to leak 112GB of business data if a ransom is not paid, according to a message from the hackers published by TechPowerUp.
The gang claims in its message that the compromised data includes confidential information that is protected under nondisclosure agreements with other tech companies, including AMD, Intel and American Megatrends.
Gigabyte has not made any official statement related to the cyberattack. Online media outlet Bleeping Computer reports that the attack began late in the night on Aug. 3 and continued through to the early hours of the next day.
As a result, the company was forced to shut down certain internal systems and a customer support site, according to TechPowerUp. This included its support site that gives customers access to support documents.
Attackers Threaten Data Leak
The threat actors who targeted Gigabyte claim to have stolen 112GB worth of internal data that they are now threatening to leak unless a ransom is paid, according to The Record. It reports that it obtained access to a page on the dark web that contained the RansomEXX gang’s extortion demands but did not spell out the size of the ransom demanded.
As proof of the data leak, the threat actors posted screenshots of four documents stolen during the attack, Bleeping Computer reports. These include an American Megatrends debug document, an Intel "Potential Issues" document, an "Ice Lake D SKU stack update schedule" and an AMD revision guide, it says.
“Over and beyond the crisis at hand, Gigabyte, like all ransomware victims, needs to understand how the ransomware got into their environment in the first place. Ransomware is not their true problem; how it got in is the real problem,” says Roger Grimes, data-driven defense evangelist at the security firm KnowBe4. “It is because they did not have the real problem fixed that they ended up with a ransomware infection."
The RansomEXX gang is one of many newer ransomware-as-a-service gangs. Others include Pay2Key and Everest.
The earliest version of RansomEXX was called Defray, and its attack signatures can be tracked back to 2018. An upgraded version was first spotted in 2020, when the gang targeted the Texas Department of Transportation, Konica Minolta and the Brazil court systems.
“RansomExx is a Trojan-based ransomware strain that uses email as its delivery method,” notes a TitanHQ blog. “The e-mail features a protected Word document containing a malicious macro. As many users now disable macros by default, the email contains a message that encourages users to enable macro content. Once activated, the macro downloads a Trojan from a malicious URL which then establishes itself on the victim’s machine.”
This ransomware is known to target Windows-based systems. New reports have emerged that say it can now target Linux-based systems (see: RansomEXX Ransomware Can Now Target Linux Systems).