RansomEXX ransomware attacks Gigabyte Technologies

August 12, 2021
RansomEXX gigabyte tech ransomware gang

Gigabyte Technologies, a motherboard maker and manufacturer of computer hardware from Taiwan, has been targeted and attacked by a ransomware gang called RansomEXX. This ransomware gang has threatened Gigabyte to pay them their ransom request, or else they will publish 112GB of their stolen data from the company. 

Gigabyte’s main product offered is motherboards, but they also provide and distribute different kinds of computer hardware. 

The company has been forced to shut down its operations in Taiwan beginning the night of August 3rd, until the next day, August 4th, because of the ransomware attack. Gigabyte’s support site and multiple websites have also been severely affected by the attack. As for the customers’ issues raised in the midst of the ransomware attack, they have reported being able to access random support documents and obtain updated RMA data. 

Gigabyte has confirmed that they have been under a cyberattack, as the Chinese news site United Daily News reported. The attack was said to significantly impact a small number of servers owned by Gigabyte. The company has acted quickly upon figuring out that they are being attacked due to a detected abnormal activity during their operation. They had to immediately shut down their systems and alert the law enforcers.  


The suffering of Gigabyte during the attack 

During the initial findings of Gigabyte that they are being cyberattacked, they have not yet officially announced it. However, it has been discovered by cyber researchers that the attack was executed by the RansomEXX gang. The process of this ransomware gang is that they will insert many ransom notes on every encrypted device that they had encrypted a network into. 

A non-public page is contained in these ransom notes and is intended to be a restricted page that is only available to be accessed by their victim. Its aim is to test the decryption of an encrypted device or file. Once the victim enters that restricted page, they must leave an email address where the attacker and the victim will exchange ransom negotiations. As of August 6th, a source was sent to the researchers, including the link to the same non-public RansomEXX leak page exclusively intended for Gigabytes. On this page, the attackers threaten the victim that they have stolen more than 112GB of data throughout the attack and must comply with their ransom requests. 


More information about RansomEXX ransomware 

Established under the name Defray in 2018, the operation of the RansomEXX ransomware has been rebranded last June of 2020, and by then, they have become more involved in cyberattacks. The basic process of this ransomware is that they breach through a target network via Remote Desktop Protocol. And like any other ransomware operation, they steal and exploit sensitive data and credentials they get from victims. 

The more credentials they can harvest, the more likely they can get control of the victim’s Windows domain controller once they are successful with the attack access. As they spread their operations through the victim’s network, they will gather and steal many valuable data they can acquire and then use it to extort ransom requests. 

Moreover, RansomEXX has also established a Linux encryptor used to encrypt virtual machines operating VMware ESXi servers since they wanted to advance from only targeting Windows devices. And since they have been active on the cyberattack scene over the months, there were reports that this ransomware gang has attacked high-profile companies such as Ecuador’s state-run Corporación Nacional de Telecomunicación. 

Over the past months, the RansomEXX gang is becoming more committed to their nature. They have recently attacked Italy’s Lazio region, Brazil’s government networks, the Texas Department of Transportation (TxDOT), IPG Photonics, and more. 

About the author

Leave a Reply