LockBit Hits TSMC for $70 Million Ransom: What CIOs Can Learn

Taiwan Semiconductor Manufacturing Company (TSMC), a contract chipmaking company, confirmed a cybersecurity incident at one of its third-party IT hardware suppliers. The breach at the supplier, Kinmax Technology, impacted TSMC. TechCrunch reported that the LockBit ransomware gang demanded TSMC pay a $70 million ransom in exchange for data stolen in the breach.

This hefty demand is a part of the larger trend of continued ransomware activity. Is LockBit likely to get a payout? What is the potential fallout for TSMC? And what can other potential ransomware victims do to protect themselves?

The Breach

Kinmax Technology discovered the breach on June 29, according to its statement on the incident. The breach involves “information pertinent to server initial setup and configuration,” according to an emailed statement from TSMC. The company halted its data exchange with Kinmax Technology, and it shared that the breach has not impacted its business. “Upon review, this incident has not affected TSMC’s business operations, nor did it compromise any TSMC’s customer information,” according to the statement.

LockBit named TSMC as a victim on its dark web leak site, according to TechCrunch. TSMC did not address the ransomware demand in its statement.

Potential Outcomes

When hit with a ransomware demand, companies are faced with the decision to pay or not to pay. In 2022, the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) received 2,385 complaints relating to ransomware. Those complaints are linked to more than $34.3 million in losses, according to the FBI Internet Crime Report 2022.

TSMC has not given any public indication of how it plans to respond to LockBit’s demand. Bill Bernard, area vice president of cybersecurity company Deepwatch, believes it is unlikely the chipmaker will give in and pay the ransomware gang. “They’re claiming very publicly that the data gathered was not damaging to their ability to do business or to their customers. If true, there’s very little motivation for them to pay this extortion,” he tells InformationWeek.

Refusal to pay would be a part of a larger trend observed over the past year or so, according to Bernard. He notes there have been “…more attempted ransomware events, but fewer payouts as businesses see the cost of recovery being significantly less than the cost of the ransom.”

Even if refusal to pay is the less expensive option, companies still face consequences in the wake of an attack like this. “If TSMC opts not to pay, it could face short-term operational disruption, potential data loss, and the leak of sensitive information, damaging its reputation and breaching customer trust,” explains Ani Chaudhuri, CEO of data security company Dasera.

If TSCM does decide to pay, it could serve as validation of the ransomware business model. “If businesses succumb to such high demands, we may witness an escalating trend in ransom demands, inspiring more malicious actors to participate in this criminal enterprise,” saysChaudhuri.

Continued Ransomware Activity

LockBit was the most commonly used ransomware variant in the world in 2022, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). CISA reports that the ransomware gang has successfully extorted $91 million in U.S. ransom payments since it was first observed in the U.S. in 2020.  

LockBit’s $70 million demand signals a high level of confidence. Threat actors will continue to look for high-stakes targets that can afford to meet expensive demands. “The $70 million ransom demand is one of the five largest ever, but it reflects the size of TSMC and the fact that it is one of the largest chipmakers globally,” says Sai Huda, CEO of cybersecurity risk and compliance solution company CyberCatch.

If successfully collected, the $70 million ransom would significantly fuel LockBit’s operations. But even if TSCM refuses to pay, the ransomware gang will likely continue its activity. “Ransomware will continue as long as the benefits to the actors outweigh the costs. As long as they can make money without getting caught, they will seek to make as much as they can,” says Scott C. Algeier, executive director of the nonprofit Information Technology-Information Sharing and Analysis Center (IT-ISAC).

Law enforcement is actively working to disrupt ransomware activity. In June, the U.S. Department of Justice (DOJ) announced charges against a Russian national involved in LockBit ransomware activity. In January, the DOJ released details of its disruption campaign of the Hive ransomware group.

But law enforcement and regulatory bodies face many challenges as they work to thwart ransomware gangs. Halting these threat actors often requires global cooperation.  “Law enforcement has become increasingly successful at takedowns,” says Algeier. “But many ransomware actors live in countries that are beyond the reach of U.S. law enforcement.”

While law enforcement has a role to play, so do the organizations at risk of becoming ransomware victims. “Organizations must realize cybersecurity is an essential business requirement, not a mere IT problem,” says Chaudhuri. “By adopting a proactive, security-first approach, we can collectively reduce these ransomware attacks’ impact and success rate.”

The TSMC and Kinmax Technology incident highlights the importance of understanding third-party risk. “As larger enterprises become more secure, less secure, smaller companies are being targeted as means to access the larger enterprise partners,” explains Algeier.

While prevention is essential in the fight against ransomware, companies must also be prepared with an effective incident response plan. “Perform a data theft and ransomware simulation and test the entire organization's incident response capability with a desktop and technical test,” Huda suggests.

Preparing for the possibility of a ransomware attack can help companies be resilient as the threat landscape continues to grow and evolve. “Understanding organizational risk can be the difference between paying out or not,” says Bernard.

What to Read Next:

2020 SolarWinds Breach: Execs Face Potential SEC Legal Action

MOVEit Breach Continues to Snap Up Victims

Data Breach Settlement: Manufacturing Company to Pay $1.75M to Employees