Gigabyte hit by ransomware with website partially down for days

[StDragon]

Summary

Gigabyte got hit by ransomware via the same RansomExx gang that took down the health department in Lazio Italy

 

Quotes

Quote

Taiwanese computer hardware vendor GIGABYTE has suffered a ransomware attack, and hackers are currently threatening to release more than 112 GB of business data on the dark web unless the company agrees to their ransom demands.

 

My thoughts

Another day, another victim. Though I was personally frustrated that as of the last 48 hours, I couldn't access part of the download sections for certain motherboards. This explains why it was down.

 

Sources

https://therecord.media/motherboard-vendor-gigabyte-hit-by-ransomexx-ransomware-gang/

[tikker]

Summary

Next in the never-ending train of companies getting ransomed it's GIGABYTE's turn to pay up. Allegedly 112 GB of data is held ransom by the RansomExx gang and is threathened to be published if they don't pay. The demanded amount of money is at this moment unknown. The stolen files seem to be some internal debug and technical documents. Only a small number of servers were affected according to a spokesperson, which are now offline and under investigation.

 

Image credit: The Record. From what I can find CLX refers to Cascade Lake and Purley refers to their Xeon lineup, so I'm guessing Purley-R refers to the Cascade Lake R refresh.

 

Quotes

Quote

Taiwanese computer hardware vendor GIGABYTE has suffered a ransomware attack, and hackers are currently threatening to release more than 112 GB of business data on the dark web unless the company agrees to their ransom demands. The Taiwanese company, primarily known for its high-performance motherboards, confirmed the attack in a phone call and in a message on its (now-down) Taiwanese website. A spokesperson said the incident did not impact production systems. Only a few internal servers at its Taiwanese headquarters have been affected and have now been taken down and isolated.

 

Quote

On this non-public leak page, the threat actors claim to have stolen 112 GB of data from an internal Gigabyte network as well as the American Megatrends Git Repository,

 

    We have downloaded 112 GB (120,971,743,713 bytes) of your files and we are ready to PUBLISH it.
    Many of them are under NDA (Intel, AMD, American Megatrends).
    Leak sources: newautobom.gigabyte.intra, git.ami.com.tw and some others.

 

While we will not be posting the leaked images, the confidential documents include an American Megatrends debug document, an Intel "Potential Issues" document, an "Ice Lake D SKU stack update schedule," and a AMD revision guide.

 

My thoughts

Not much to think about for me really, just another one to add to the list. I'm a little bit surprised how many companies are getting hit with ransomware lately. Is it really that easy to infect someone with it or is there some serious common lack in security for all these large corporations? Of course all it probably takes is one employee unfortunately accidentally doing something sketchy on a work computer and it's done, but still. I'm curious how high the requested amount of money is. No deadline is apparent so we'll have to wait and see how this plays out. I wonder if the lack of price demand indicates they are planning to publish it anyway, but I don't know enough about RansomExx's MO to say anything about that.

 

Sources

@TetraSky

https://therecord.media/motherboard-vendor-gigabyte-hit-by-ransomexx-ransomware-gang/

https://www.bleepingcomputer.com/news/security/computer-hardware-giant-gigabyte-hit-by-ransomexx-ransomware/

[da na]

Here’s a good idea, keep offline backups so you don’t have to pay for data back?

But seriously, it is quite interesting how many companies are being hit with these attacks. 

[tikker]

1 minute ago, Mel0nMan said:

Here’s a good idea, keep offline backups so you don’t have to pay for data back?

But seriously, it is quite interesting how many companies are being hit with these attacks. 

I think the bigger problem is you or me getting our hands on their documents instead of them restoring a backup.

 

Also @StDragon sorry didn't realise you sniped me on this until after posting D: if any mod sees this feel free to merge or (re)move this one.

[StDragon]

@tikker It's no problem. It happens. I'll let the mods decide what to do with my post.

What's interesting is that it was BIOS updates that I was looking for as Intel released multiple CPU microcode updates for June and July. Also missing (if ever was available, not sure) the EOL of MBs. Gigabyte has a nack for just ghosting their userbase without any further firmware updates.

[Bitter]

So that's why I couldn't open the bookmarked page for an A320 board I needed to bios update!

[TetraSky]

2 hours ago, tikker said:

Sources

@TetraSky

You didn't have to put me in as the source, it makes it weird even if I'm the one who originally posted about this in the Status Updates and was too lazy to make a thread about it. Gave me a good laugh though.

 

 

The only saving grace in all this, is that at least it wasn't their production servers that got hit.

[StDragon]

10 minutes ago, TetraSky said:

The only saving grace in all this, is that at least it wasn't their production servers that got hit.

Damn. I was hoping for an improvement from the aftermath. j/k

[tikker]

1 hour ago, TetraSky said:

You didn't have to put me in as the source, it makes it weird even if I'm the one who originally posted about this in the Status Updates and was too lazy to make a thread about it. Gave me a good laugh though.

Haha well credit due where credit's due. Wouldn't want to get sued or ransomed for plagiarism

 

[StDragon]

Quote

"According to the report, attackers stole as much as 112GB of confidential data, which includes motherboard designs, sensitive encryption keys, UEFI BIOS versions for yet-unreleased products, TPM data, and much more". - tomshardware.com

Unless I'm blind, I don't see where Tom's HW got that from the report. But if true, that would put into question the trustworthiness of Secure Boot and TPM attestation. Unless Gigabyte can offer BIOS updates post ransomware remediation, I'm concerned that Microsoft might blacklist certain Gigabyte MB support for up-coming Windows 11.

[Vectraat]

Is there no way to get in touch with Gigabyte right now? Either via phone or e-mail? I can't open a support ticket and my video card is probably on its way out. I imagine there's going to be a huge backlog of tech they'll need to troubleshoot by the time this ransomware issue is dealt with. 

[williamcll]

Maybe they used all their inventory to crack the ransomware encryption 

[IkeaGnome]

We need to find who they are and ship all the GP series PSUs to them.

[Botric]

Update on this Gigabyte have access to thier emails again but thier file system is still encrypted 

 

also infroemd eveyopne of this friday morning 

 

[tikker]

Gigabyte has so far refused to pay ransom and in response the hackers have distributed some 7GB of data. https://cybernews.com/news/gigabyte-amd-intel-confidential-data-leaked-online/

Quote

Aside from confidential corporate data, the leaked archive appears to contain no identifiable personal user information like customer credit card details, account credentials, or other sensitive personal documents.

[StDragon]

I agree with Gigabyte, don't pay the ransom. If they got backups, there's no reason to trust criminals that they won't sell the info anyways. They are *criminals* for a reason!

[WolframaticAlpha]

On 8/6/2021 at 11:50 PM, Mel0nMan said:

Here’s a good idea, keep offline backups so you don’t have to pay for data back?

But seriously, it is quite interesting how many companies are being hit with these attacks. 

Keeping airlocked backups is a standard with nearly all cloud services. You have to pay slightly extra, but iirc Oracle and GCS gives it for free.