Clevo gaming laptop-maker claimed by RansomHub ransomware gang


Clevo, a leading manufacturer of customizable gaming laptops, was claimed Monday by RansomHub, the cybercriminal gang recently involved in publishing stolen data from UnitedHealth Group’s Change Healthcare hack.

The gang posted the global laptop manufacturer on its dark leak blog claiming to have stolen a massive 200GB from Clevo networks, along with an eight-day countdown to negotiate and pay a ransom demand.

“All network and backups are fully ecnrypted [sic]. We took care of it. The company has no chance to recover. Only our decryptor will help them to get back to work, nothing else will help them, “ the hacker group posted on their leak site.

ADVERTISEMENT
Clevo ransom attack RansomHub

Clevo is a leading ODM/OEM manufacturer known for producing barebones laptops for other companies to customize, as well as their own product lines of notebooks, tablets and All-in-One PCs.

The Clevo laptop brand is well known in the video gaming industry. Partners and clients include major technology companies such as MSI, Gigabyte, Asus, Nvidia, Intel, Micron, and AMD.

The Russian-leaning RansomHub also posted 10 sample files, allegedly from the stolen cache, containing what appears to be manufacturing roadmaps, license agreements, specifications, schematic drawings, and other confidential and proprietary documents related to the tech giants mentioned above.

ODM/OEM stands for original design and original equipment manufacturer.

Ransom note and instructions

RansomHub claims to have infiltrated Clevo’s network and been able to move around its systems “for a long time.”

ADVERTISEMENT

The gang says they had the time to analyze the manufacturer’s “products, clients and partners,” downloading “the most important and sensitive data.”

The group lists at least 18 exfiltrated stolen file formats as: pdf, pptx, ppt, dwg, dxf, prt, sldprt, asm, sldasm, sdcpc, sdac, sdcc, sdwc, doc, dwt, dws, prt, sdp.

“We tried to find a peaceful solution to solve this problem,” RansomHub wrote in its lengthy explanation.

RansomHub Clevo note and instructions
RansomHub leak site. Image by Cybernews.

The ransom note then chastised the company for visiting RansomHub’s landing page, reading its message, and also being informed by phone calls of the gang’s attack – even claiming one of Clevo’s employees laughed at the gang during the call.

“You still have time and opportunity to contact us and solve everything for a little money. We are waiting in the chat. We don’t want your company to collapse your partners to sue you for NDA vialotion [sic] and the drawings and product developments to be sold to competitors,” …the group threatened.

Who is RansomHub?

RansomHub is a relatively new player in the ransomware ecosystem, having posted its first victim on February 26th, 2024.

According to Ransomlooker, Cybernews’ ransomware monitoring tool, RansomHub has claimed more than 45 organizations in total over the past five months.

Recent May breaches include the infamous Christie’s auction house located in the ritzy Upper East Side of Manhattan (data now published), and Frontier, the 4th largest high-speed internet provider in the US covering 25 states.

ADVERTISEMENT
RansomHub leak blog: Clevo, Frontier, Christie's
RansomHub leak site. Image by Cybernews.

In April, RansomHub posted a portion of stolen data files from a February breach of the US health technology giant Change Healthcare, carried out by the notorious ALPHV/BlackCat ransomware group.

Apparently, as one of the many criminal affiliates of the now-defunct ALPHV/BlackCat, RansomHub claims to have more stolen files belonging to the UnitedHealth Group-owned company.

The group primarily operates a ransomware-as-a-service business model, charging affiliates a cut of ransom profits in exchange for using their ransomware malware tools, according to SOCRadar Dark Web Profile report from March.

Analysts claim that the gang’s setup closely resembles a traditional Russian ransomware setup, with the gang avoiding targets in Russia, CIS countries, Cuba, North Korea, and China.

Clevo is a subsidiary of the Taiwan-based Chicony Electronics, a multinational motherboard and electronics manufacturing conglomerate.