AMD is investigating a potential data breach by a new data-extortion cybercrime group called RansomHouse, according to a report from Restore Privacy.
The group published an update on its darkweb site claiming to have stolen “more than 450Gb” (it’s unclear if they meant gigabytes or gigabits) of data from the chipmaker. RansomHouse says it targets companies with weak security and was able to compromise AMD back in January due to poor passwords used to guard their networks.
“An era of high-end technology, progress, and top security… there’s so much in these words for the crowds. But it seems those are still just beautiful words when even technology giants like AMD use simple passwords to protect their networks from intrusion,” RansomHouse wrote on its site. “It is a shame those are real passwords used by AMD employees, but a bigger shame to AMD Security Department which gets significant financing according to the documents we got our hands on — all thanks to these passwords.”
Restore Privacy reviewed the alleged leaked data and notes that it appears to include “network files, system information, as well as AMD passwords.” Some of the data leaked by RansomHouse and seen by TechCrunch suggests AMD employees were protecting sensitive data using passwords as simple and common as “123456" and “password.”
AMD confirmed to Tom’s Hardware that it was aware of a “bad actor” claiming to be in possession of stolen data and is currently investigating those claims. The company declined to comment on whether it received a ransom demand of if customer data was involved.
We, therefore, don’t yet know if the alleged attack is genuine and whether the stolen data comes directly from AMD or a third-party partner. Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch that the breach should be taken seriously.
“Ransomware operators are untrustworthy bad-faith actors and all their claims should be viewed with skepticism,” Callow said. “That said, as far as I’m aware, none of the claims they’ve made to date have proven to be false.”
Unlike other cybercrime groups that conduct ransomware attacks, RansomHouse claims to be “professional mediators” between attackers and victims whose goal is to facilitate payments for stolen data.
A tweet shared by former cybersecurity reporter Catalin Cimpanu shows the group’s website post, which states that AMD has “either considered their financial gain to be above the interests of their partners/individuals who have entrusted their data to them or have chosen to conceal the fact they have been compromised.” Cimpanu notes this “might be a failed attack where someone is trying to monetize some stolen data.”
RansomHouse is a relatively new extortion group having first emerged in December 2021 with a darknet website that lists Saskatchewan Liquor and Gaming Authority (SLGA) as its first victims. It later breached ShopRite, Africa’s largest retail chain. RansomHouse lists six total victims on its website, AMD included.
Threat intelligence researchers at MalwareBytes Labs wrote a blog post about RansomHouse earlier this year, noting how the group offers to delete stolen data and provide a full report on what vulnerabilities were exploited and how. This behavior has led some researchers to speculate that the group consists of frustrated white hats, or bounty hunters, who punish companies for lax security measures.