AMD investigates RansomHouse hack claims, theft of 450GB data

Semiconductor giant AMD says they are investigating a cyberattack after the RansomHouse gang claimed to have stolen 450 GB of data from the company last year.

RansomHouse is a data extortion group that breaches corporate networks, steals data, and then demands a ransom payment to not publicly leak the data or sell it to other threat actors.

For the past week, RansomHouse has been teasing on Telegram that they would be selling the data for a well-known three-letter company that starts with the letter A.

Yesterday, the extortion group added AMD to their data leak site, claiming to have stolen 450 GB of data.

AMD on the RansomHouse stolen data marketplace
Source: BleepingComputer

RansomHouse told BleepingComputer yesterday that their “partners” breached AMD’s network about a year ago. Though the website says the data was stolen on January 5th, 2022, the threat actors said the date is when the hackers lost access to AMD's network.

While RansomHouse has previously been linked to ransomware operations, such as WhiteRabbit, they state that they do not encrypt devices, and ransomware was not used on AMD.

The threat actors said they did not contact AMD with a ransom demand as selling the data to other entities or threat actors was more valuable.

"No, we haven't reached out to AMD as our partners consider it to be a waste of time: it will be more worth it to sell the data rather then wait for AMD representatives to react with a lot of bureaucracy involved," a RansomHouse representative told BleepingComputer.

RansomHouse claims that the stolen data includes research and financial information, which they say is being analyzed to determine its value.

The threat actors have not provided any proof of this stolen data other than a few files containing information allegedly collected from AMD's Windows domain.

This data includes a leaked a CSV containing a list of over 70,000 devices that appear to belong to AMD's internal network, as well as an alleged list of AMD corporate credentials for users with weak passwords, such as 'password', 'P@ssw0rd', 'amd!23', and 'Welcome1.'

AMD told BleepingComputer that they are aware of the claims and are investigating the incident.

"AMD is aware of a bad actor claiming to be in possession of stolen data from AMD. An investigation is currently underway." - AMD.

Who is RansomHouse?

RansomHouse launched its operation in December 2021 when it leaked its first victim, Saskatchewan Liquor and Gaming Authority (SLGA).

While the extortion group claims not to use ransomware in their attacks, a White Rabbit ransomware note clearly shows that they are linked to ransomware groups.

White Rabbit ransom note

Since December, RansomHouse added an additional five victims to their data leak site, including AMD.

One of these victims is Shoprite Holdings, Africa's largest supermarket chain, which confirmed a cyberattack on June 10th.