A handful of major technology firms have been the victim of headline-making extortion attempts over the last month, each of them suffering a cyberattack that resulted in their proprietary data and sensitive information being posted on the dark web. An extortion and ransomware gang called Lapsus$ Group has brazenly taken credit for the hacks thus far.
Lapsus$ is a new name when it comes to ransomware, with the Brazil-based group only becoming widely known in December of 2021. As a result, little is known about them.
However, they are displaying the arrogant hallmarks seemingly inherent to such enterprises. From posting polls asking the public what company they would like to see hacked next to taking to social media for the purposes of bragging, Lapsus$ is operating as if they expect no repercussions for their actions.
Another unusual characteristic of Lapsus$ is that, unlike other ransomware gangs, they seem to be just as interested in smearing their victims via website defacements and trolling as they are in collecting money. Victims have seen their social media accounts hijacked and their websites redirected to illicit material.
Some of the group’s actions, as well as their sudden rise to notoriety and enjoyment of the spotlight, lead researchers to believe that Lapsus$ may be largely composed of amateur hackers as opposed to seasoned veterans. However, with so many groups exchanging members or rebranding to keep authorities on their toes, it is currently impossible to know who might be leading the charge behind the scenes.
While Lapsus$ first targeted victims in South America including the Brazil Ministry of Health and a major telecommunications company, the group quickly switched gears and started to target major tech companies with surprising success.
On February 23rd of 2022, Nvidia became aware that Lapsus$ had broken into their corporate network and made off with over 1TB of stolen data.
In an unusual move, Lapsus$ did not ask for a ransom or payout to prevent the release of the trove, which is said to include employee info as well as firmware and proprietary product data. Instead, Lapsus$ is demanding that Nvidia remove a limitation on their graphics cards in order to make them more useful for crypto mining.
As crypto mining has become more popular, the graphics cards used to run the necessary algorithms have become nearly impossible to purchase. The hardware is quickly snapped up by those looking to profit either from mining themselves or reselling the products to others.
To allow their target market of gamers to more easily purchase their hardware, Nvidia has built a feature called Lite Hash Rate (LHR) into their graphics cards that is designed to make them undesirable when it comes to crypto mining and therefore curb the community’s insatiable demand.
Lapsus$ is demanding that Nvidia remove the feature from their products and even went on to modify their terms by requesting that Nvidia also make their “current and future drivers for all cards open source” or face a leak of the stolen data.
As a result of the attack, Nvidia was forced to take parts of its business offline for two days and threat actors are already using some of the information Lapsus$ leaked to exploit Windows systems.
Nvidia allegedly attempted to hack Lapsus$ back and encrypt the stolen data. While they were successful, Lapsus$ had already backed up the stolen info and the retaliatory measure seems to have had little effect.
On March 4th, Lapsus$ began implying that it had hacked tech giant Samsung.
The group claimed that it had stolen the company’s biometric unlock algorithm as well as other proprietary, secret code in a stash of 198GB. Soon after, the data was released as a torrent and has skyrocketed in popularity.
Samsung has responded by acknowledging that a breach occurred but reassuring its customers that their personal data had not been compromised in the breach, nor will the company’s operations be disrupted. Security researchers, however, fear that the leaked code could make security on Samsung devices extremely challenging, if not impossible, to maintain.
It is not known what kinds of demands, if any, Lapsus$ placed on Samsung prior to the leak.
Lapsus$ possibly behind Ubisoft hack
French video game developer Ubisoft experienced a “cybersecurity incident” that resulted in a temporary disruption to the company’s games and services.
While Ubisoft was able to quickly recover and mandated that all employees change their passwords, the company said that customer data was unaffected and has yet to comment further with regard to the incident.
Lapsus$ has yet to take official credit for the attack on Ubisoft, but the Telegram channel that is allegedly used by the group responded to the news with a smirking face emoji.
While impossible to tell if the emoji implied responsibility for the event or simply expressed satisfaction regarding the company’s distress, the activity surrounding the hack of Ubisoft does imply the group’s involvement.
The emoji may also be an effort to simply create some chaos around the event while providing possible street cred for the group.
What’s next for Lapsus$?
Lapsus$ shows no signs of slowing down their activity, and it’s clear that cyber extortion and ransomware is here to stay.
Lapsus$ has recently posted a recruitment ad in which they proclaim to be on the lookout for employees of major companies such as Microsoft, IBM, Apple and EA Games that could be persuaded to give the gang login credentials or other important information that could allow them to hack into company networks.
Lapsus$ is offering payment for anyone who provides them with access, meaning that disgruntled employees, or simply those who are strapped for money, may be tempted to contact Lapsus$ with insider data.
This is an especially dangerous scenario given society’s reexamination of employee treatment within multibillion dollar companies, brutal “crunch” scenarios in game development studios and the skyrocketing cost of living.
It is possible that Lapsus$’s meteoric rise to notoriety may work against the group as their desire for attention amidst the hacking and ransomware community puts a target on their members. It is also possible that the group continues to antagonize the tech industry with data leaks, dissolves into multiple other groups or rebrands to throw authorities off their trail.
In our current moment, however, companies that have appeared on Lapsus$’s polls and posts are already working to bolster their defenses in anticipation of the gang’s actions.
British multinational telecom company and Lapsus$ target Vodafone, for example, has begun internal investigations into their IT protocols and has reminded employees that even a seemingly minor leak of internal data could have major consequences with regard to the company’s reputation, security and stability.
Depending on the morale of the employees at the company, it’s difficult to tell if such messaging will deter or encourage internal team members to sneak information to Lapsus$ for a quick profit.
While Brazil has long suffered from a lack of trained personnel among its population to help combat its growing cybersecurity issues, the nation’s IT companies are expected to pay $1 billion in security in 2022.
It is yet to be determined if this has any effect on Lapsus$’s activities or their confidence.
- Nvidia counter-hacks ransomware gang, but the group had already backed up stolen data by Team TC, 28 Feb 2022, TechCircle
- Cybercriminals who breached Nvidia issue one of the most unusual demands ever by Dam Goodin, 3 March 2022, Ars Technica
- NVIDIA says employee credentials, proprietary information stolen during cyberattack by Jonathan Greig, 1 March 2022, ZDNet
- Lapsus$ Ransomware Gang – A Malware in Disguise 7 March 2022, Check Point
- Lapsus Ransomware Gang Continues with High Profile Attacks 4 March 2022, NetSec
- Beware of Lapsus Ransomware Group Hiring Insiders by Guru, 13 March 2022, Cyber Security News
- Samsung Confirms Massive Galaxy Hack After 190GB Data Torrent Shared Via Telegram by Davey Winder, 8 March 2022, Forbes
- Samsung confirms data breach as Lapsus$ hackers leak its source code by WAQAS, 7 March 2022, Hackread