A relatively new data extortion operation going by the name RansomHouse appears to have turned over the systems of semiconductor specialist AMD, stealing more than 450GB of the organisation’s data and holding it to ransom.As initially reported by Restore Privacy, which said it was tipped off by the gang itself, AMD’s systems were first compromised in January 2022. Samples of AMD’s data have now appeared on the group’s dark website, and Restore Privacy has verified that the data seems to be authentic.The report went on to quote RansomHouse’s operative as claiming that those responsible for network protection at AMD had been using the password “password”. This may be an indication of a successful credential stuffing attack.Successfully contacted by Bleeping Computer, the gang, which makes a point of stating it is not a traditional ransomware operation, said it had not contacted AMD to demand money, as it would be more worth its while to sell the stolen data to other threat actors.In response to the report, AMD said it was aware of a malicious actor claiming to be in possession of its data and that it had started an investigation.As always in such situations, there is a lack of clarity over the precise nature of the situation, including factors such as how the data was obtained and when – although there has been a persistent rumour that AMD was hit by ransomware earlier this year.It would be unwise to take RansomHouse at its word, as cyber criminal operations are known to make false claims when courting publicity.
Who is RansomHouse?
A new player in the fast-evolving cyber criminal underground, RansomHouse emerged late in 2021 and, to date, its dark web leak site has listed a total of six victims. Its first victim, in December 2021, was Canada’s Saskatchewan Liquor and Gaming Authority (SLGA). More recently, it leaked data stolen from South Africa-based retailer ShopRite, which is Africa’s largest private sector employer.
According to intelligence published in May 2022 by Cyberint, the gang is notable for not cleaving to the traditional model of a data extortion operation, claiming to be motivated by more than just financial gain and depicting its victims as the real villains for not taking security seriously.
Cyberint said it had confirmed that RansomHouse’s campaigns were focused on extortion only, and that it did not possess or develop any encryption module.
Jim Simpson, director of threat intelligence at Searchlight Security, said RansomHouse seemed to be taking to an extreme the archetype of an “ethical” data extortion gang, the sort of malicious actors who claim their motivation is simply to improve the information security standards of their victims, albeit by conducting unscheduled penetration tests.
“While RansomHouse’s attitude might be unusual, their methods and motivations are as common and mercenary as any other criminal’s”
Jonathan Knudsen, Synopsys Cybersecurity Research Center
“RansomHouse claims its primary goal is to ‘minimise the damage that might be sustained by related parties and raising awareness of data security and privacy issues,” said Simpson.
“However, their stated frustration with ‘ridiculously small’ bug bounty amounts paid out by companies and the whole operation – holding data hostage until a victim pays the ransom, or selling it to other threat actors in the event they refuse – makes it clear they are a financially motivated threat and want money from their victims,” he added.
“If the victims refuse to pay the requested ransom, and no one decides to buy it, RansomHouse will publicly share the stolen data on their dark web PR site and Telegram channel,” continued Simpson.
“In another attempt to create a veneer of benevolence, the group claims that individuals who fear they are part of a soon-to-be-leaked dataset can request via Telegram to have their information removed before publication – however, our assessment is it is unlikely to be true.”
Jonathan Knudsen, head of global research at the Synopsys Cybersecurity Research Center, added: “Cyber security adversaries come in all shapes and sizes, with all kinds of motivations. Recently, RansomHouse has been engaging with a cyber twist on victim shaming. They claim that ‘the culprits are those who did not put a lock on the door leaving it wide open inviting everyone in’.
“[But] organisations who have poor cyber security do not deserve to be victims. If you were walking past a house and saw the door open, what would you do? You would not enter the house uninvited, and you would not steal a TV or jewellery just to prove that the house owner was not following good security practices.
“While RansomHouse’s attitude might be unusual, their methods and motivations are as common and mercenary as any other criminal’s,” noted Knudsen.