Ransomware gangs have become oil-filled money-making machines in their quest for criminal profit. But since December, a seemingly new group called Lapsus$ has fueled chaos in the field, campaigning with a strong social media presence on the internet. Telegrama series of famous victims — including Samsung, Nvidia, and Ubisoft — scandalous leaks and dramatic accusations led to a reckless escalation in an industry that was illegal.
What makes Lapsus$ also remarkable is that the group is not really a ransomware gang. Instead of getting the data out, encrypt the target system and then threatens to leak stolen information unless the victim pays, Lapsus$ seems to focus solely on data theft and extortion. The team gains access to victims through phishing attacks, then steals the most sensitive data the team can find without deploying malware that encrypts the data.
“It’s all pretty erratic and unusual,” said Brett Callow, a threat analyst at anti-virus company Emsisoft. “My impression is that they are a talented but inexperienced organization. Whether they will look to expand and bring in branches or keep it small and lean remains to be seen.”
Lapsus$ just came out a few months ago, mostly focused on Portuguese speaking targets at first. In December and January, the group attacked and attempted to blackmail the Brazilian health ministry, Portuguese media giant Impresa, South American telecoms Claro and Embratel, and a Brazilian car rental company. Localiza, among others. In some cases, Lapsus$ also conducts denial of service attacks against victims, rendering their websites and services unavailable for a period of time.
Even in those early campaigns, Lapsus$ was innovative; it sets Localiza’s website to redirect to an adult media site for several hours until the company can revert it.
As attackers increased and gained confidence, they expanded their reach. In recent weeks, the consortium has attacked Argentine e-commerce platforms MercadoLibre and MercadoPago, claiming to have compromised the UK telecommunications network Vodafone and begun leaking sensitive and valuable source code. from Samsung and Nvidia.
“Remember: The only goal is money, our reason is not political,” Lapsus$ wrote on the Telegram channel in early December. And when the team announced its Nvidia breach on Telegram in At the end of February, they added, “Please note: We are not state-sponsored and we are not involved in politics.”
However, researchers say the truth about the gang’s intentions is even more obscure. Not like the most prolific ransomware group, Lapsus $ seems to be a loose collective rather than a disciplined, collectivized activity. “At this point, it’s hard to say for sure what the group’s motives are,” said Xue Yin Peh, senior cyber threat intelligence analyst at security firm Digital Shadows. “There is no indication that this group is using ransomware to extort money from victims, so we cannot confirm that they are financially motivated.”
Lapsus$ breached Nvidia in mid-February, stealing 1 terabyte of data, including large amounts of sensitive information about the design of Nvidia graphics cards, the source code for an Nvidia AI rendering system called DLSS, the name the users and passwords of more than 71,000 Nvidia Employees. The group threatened to release more and more data if Nvidia didn’t respond to a series of unusual requests. At first, the gang asked the chip manufacturer to remove an anti-cryptocurrency feature called Lite Hash Rate from their GPUs. Then Lapsus$ asks the company to release certain drivers for its chip.
“The focus on crypto mining shows that the final group can be financially motivated, however they are definitely taking a different approach than other pools in attracting financial rewards. main,” Digital Shadows’ Peh said.
