Gigabyte Technology, a Taiwanese manufacturer and distributor of computer hardware, has allegedly suffered a massive data breach as a result of a ransomware attack. 

The AvosLocker ransomware gang is claiming to be behind the breach, leaking a sample of “stolen files” from Gigabyte’s network and offering to sell the rest of the data.

The threat actors posted a “press release,” announcing that it had hacked the Taiwanese company. PrivacySharks and Threatpost confirmed the leaked files appear to contain confidential details regarding deals with third-party companies and personally identifiable information about employees. 

“Gigabyte INC suffered a breach, and this is a sample of the files we’ve downloaded from their network. Barracuda NDA + full dir list leaked in [the] sample,” AvosLocker said. 

The ransomware group has threatened to leak more data from Gigabyte’s network if the company refuses to negotiate, according to PrivacySharks. In addition, PrivacySharks researchers say, “We hope that there are no Gigabyte private master keys included in this leak which could potentially see a new supply chain attack like the Solarwinds Supply Chain Attack. If the leak does include keys, these could be used to impersonate Gigabyte, forcing servers and motherboards to download fake updates and drivers, etc.”

The leaked data contains files from as recently as May 2021, as reported by PrivacySharks, and includes the following:

• Potential credit card details. Fortunately, if these files contain credit card information, the credit cards may be expired as this folder is from 2014.
• Password and username details.
• Employee payroll details.
• HR agreements with consultants as well as full names, images, and CVs.
• 10 PDF documents in a file named ‘Passports.’
• Information on over 1,500 job candidates, including full names, CVs, resumes, and applications. There are also Zoom internet details with what appears to be personal information on each candidate.
• A folder named ‘Mailchimp’ containing GSM Account Database information. This could include email addresses.
• A zip folder containing an NDA and information of a deal with Barracuda Networks worth $100,000+
• In addition to Barracuda Networks, the leak includes various data from the following well-known companies: Blizzard, Black Magic, Intel, Kingston, Amazon, BestBuy.
• A .txt file named ‘Tree’ containing 133,352 lines of folder and file names stolen in the breach.
• Business expenses from trips such as ‘Hawaii 2019’, including money spent on Luau drinks, uber trips, and tips.
• Images from company events, including Christmas parties, Halloween parties, and ‘Tony’s Birthday.’

Furthermore, the leaked data risks not only company reputation, but also Gigabyte’s relationships with third-party companies as highly confidential deals and NDAs have been exposed. 

Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, “The recent incident affecting Gigabyte is the second time the Taiwanese company has been impacted by a ransomware attack in the past three months. The RansomExx group targeted Gigabyte in August 2021, which resulted in the theft of 112GB of data. However, it is yet unclear whether this is connected to the recent attack by AvosLocker.”

Avoslocker is a relatively new ransomware group and was first observed in June 2021, Morgan explains. “They are based on the ransomware-as-a-service (RaaS) business model. This involves ransomware developers renting out their malware and infrastructure to affiliates, who conduct attacks on their behalf in return for a share of profits. AvosLocker is distinctive due to its use of an auction feature for stolen data, which the group introduced in mid-September; this followed the introduction of a similar feature by the REvil group in June 2021. This allows interested parties to pay for the data that AvosLocker steals from their victims, though it is unclear how successful this feature has been in terms of providing an additional revenue source for the group.”

“The details in the file tree should be extremely concerning to Gigabyte as they consider the impact of this breach, notes Jake Williams, Co-Founder and CTO at BreachQuest, an Augusta, Georgia-based leader in incident response. “In most double extortion schemes, the data theft focuses on quantity rather than quality. The file tree from this dump suggests that, in this case, the threat actor focused on quality. The AvosLocker double extortion model includes the sale of data for those that don’t pay, rather than just free release. To facilitate sales, AvosLocker must steal data that’s worth buying. The file tree (directory listing) teased by AvosLocker certainly appears to be the kind of data that would be valuable to a multitude of cybercriminals. In addition to personal data, the dump would also seemingly include contract details that will doubtlessly damage relationships with vendors and cause significant reputational losses for Gigabyte. It also seems likely there are trade secrets included in the dumps. However, the quantity and quality of those trade secrets are difficult for outsiders to evaluate based on file and directory names. But one thing is for sure — Gigabyte is feverishly evaluating the contents of the files in the directory listings and evaluating the impact of their probable release.”