Ransomware struck the hardware manufacturer Gigabyte from Taiwan, encrypting and apparently stealing data. Behind the attack is said to be a group that operates under the name RansomEXX. This is reported by the English-language news site Bleepingcomputer.com with reference to the Chinese news portal United Daily News. Accordingly, the incident occurred on the night from Tuesday to Wednesday.
Gigabyte shut down some systems and informed law enforcement authorities after suspicious events appeared on the network. According to the manufacturer, only a small number of servers are affected. The support page esupport.gigabyte.com is, as of 7.8., still not available and reports: “The server encountered a temporary error and could not complete your request.”
Bleepingcomputer says they have a copy of the ransom mail. This not only demands money for the key to decrypt the encrypted data. Should the company refuse, 112 GB of data will be published. This should include confidential data from cooperation partners and suppliers such as Intel, AMD and American Megatrends. Bleepingcomputer said it had access to some of these documents, which were attached as evidence. This also includes an “Ice Lake D SKU stack update schedule” from Intel.
As further evidence, the ransom note contained some hostnames from internal servers. The blackmailers expressly demanded that only an official representative of the company should contact them – any other form of contact would lead to an increase in the ransom.
The criminals at RansomEXX not only target Windows servers, but are also able to encrypt Linux virtual machines. They are particularly interested in virtual machines in EXSi environments, as several security researchers reported in June 2021.