The Lapsus$ hacking group is off to a rocky start

Ransomware gangs have become well-oiled money-making machines in their pursuit of criminal profits. But since December, a seemingly new group called Lapsus$ has added chaotic energy to the field, frolicking with a strong social media presence on Telegram, a string of high-profile victims including Samsung, Nvidia and Ubisoft, calamitous leaks, and dramatic charges that add to a reckless escalation in an already illegal industry.

What also makes Lapsus$ remarkable is that the group is not really a ransomware gang. Instead of exfiltrating data, encrypting target systems, and then threatening to release the stolen information unless the victim pays, Lapsus$ appears to focus exclusively on data theft and extortion. The group gains access to victims through phishing attacks, then steals the most sensitive data it can find without deploying data-encrypting malware.

“It’s all been pretty erratic and unusual,” says Brett Callow, threat analyst at antivirus firm Emsisoft. “My feeling is that they are a talented but inexperienced operation. Whether they will look to grow and recruit affiliates or stay small and lean remains to be seen.

Lapsus$ appeared just a few months ago, initially focused almost exclusively on Portuguese-speaking targets. In December and January, the group hacked and attempted to extort the Brazilian Ministry of Health, Portuguese media giant Impresa, South American telecoms Claro and Embratel, and Brazilian car rental company Localiza, among others. In some cases, Lapsus$ also launched denial of service attacks against victims, rendering their sites and services unavailable for a period of time.

Even in these early campaigns, Lapsus$ showed creativity; he set the Localiza website to redirect to an adult media site for a few hours until the company could undo it.

As the attackers intensified and gained confidence, they expanded their reach. In recent weeks, the group has hit Argentinian e-commerce platforms MercadoLibre and MercadoPago, claims to have breached UK telecom Vodafone and started leaking sensitive and valuable source code from Samsung and Nvidia.

“Remember: the only goal is money, our reasons are not political,” Lapsus$ wrote on his Telegram channel in early December. And when the group announced its violation of Nvidia on Telegram in late February, it added: “Please note: we are not state-sponsored and we are not in politics at all.”

Researchers say, however, the truth about the gang’s intentions is murkier. Unlike many of the more prolific ransomware groups, Lapsus$ appears to be more of a loose collective than a disciplined, corporate operation. “At this point, it’s hard to say for sure what the group’s motivations are,” says Xue Yin Peh, senior cyber threat intelligence analyst at security firm Digital Shadows. “There is no indication yet that the group is using ransomware to extort victims, so we cannot confirm that they are financially motivated.”

Lapsus$ breached Nvidia in mid-February, stealing 1 terabyte of data, including a significant amount of sensitive Nvidia graphics card design information, source code for an Nvidia AI rendering system called DLSS, and usernames and passwords of over 71,000 Nvidia employees. The group threatened to release more and more data if Nvidia did not respond to a series of unusual requests. At first, the gang demanded the chipmaker remove an anti-crypto-mining feature called Lite Hash Rate from its GPUs. Next, Lapsus$ demanded that the company release certain drivers for its chips.

“The focus on cryptocurrency mining suggests that the group may ultimately be financially motivated, but it certainly takes a different approach than other groups to soliciting financial rewards,” says Peh of Digital Shadows.

Leave a Comment