Ransomware gangs have become well-oiled money machines in their quest for criminal profit. But since December, a seemingly new group called Lapsus$ has added chaotic energy to the field, scurrying around with a strong social media presence on Telegram, a string of high-profile victims — including Samsung, Nvidia, and Ubisoft — disastrous leaks, and dramatic allegations that add up to a reckless escalation in an already illegitimate industry.
What also makes Lapsus$ remarkable is that the group isn’t exactly a ransomware gang. Rather than exfiltrate data, encrypt target systems, and then threaten to leak the stolen information unless the victim pays, Lapsus$ seems to focus solely on data theft and extortion. The group gains access to victims through phishing attacks and then steals the most sensitive data they can find without using data-encrypting malware.
“It’s all been quite erratic and unusual,” said Brett Callow, a threat analyst at antivirus company Emsisoft. “My sense is that they are a talented but inexperienced operation. Whether they will try to expand and bring in affiliates or keep it small and lean remains to be seen.”
Lapsus$ came into existence just a few months ago, initially focusing almost exclusively on Portuguese-speaking targets. In December and January, the group hacked and extorted the Brazilian Ministry of Health, Portuguese media giant Impresa, South American telecom companies Claro and Embratel and Brazilian car rental company Localiza, among others. In some cases, Lapsus$ also performed denial-of-service attacks on victims, rendering their sites and services unavailable for a period of time.
Even in those early campaigns, Lapsus$ got creative; it caused Localiza’s website to be redirected to a mature media site for a few hours until the company could put it back.
As the attackers have ramped up and gained confidence, they have increased their range. In recent weeks, the group has hit Argentina’s e-commerce platforms MercadoLibre and MercadoPago, claims to have violated UK telecom Vodafone and has begun leaking sensitive and valuable source code from Samsung and Nvidia.
“Remember: the only purpose is money, our reasons are not political,” Lapsus$ wrote in his Telegram channel in early December. And when the group announced its Nvidia breach of Telegram in late February, it added: “Please note: we are not state sponsored and we are NOT in politics AT ALL.”
However, investigators say the truth about the gang’s intentions is murkier. Unlike many of the most prolific ransomware groups, Lapsus$ appears to be more of a loose collective than a disciplined, autonomous operation. “At this point, it’s difficult to say for sure what the group’s motivations are,” said Xue Yin Peh, senior cyber-threat intelligence analyst at security firm Digital Shadows. “There is no evidence yet that the group is using ransomware to extort victims, so we cannot confirm that they are financially motivated.”
“This group operates on street value and clout.”
Charles Carmakal, Mandiant
Lapsus$ breached Nvidia in mid-February and stole 1 terabyte of data, including a significant amount of sensitive information about Nvidia graphics card designs, source code for an Nvidia AI rendering system called DLSS, and the usernames and passwords of more than 71,000 Nvidia -staff. The group threatened to release more and more data if Nvidia failed to comply with a series of unusual demands. Initially, the gang told the chipmaker to remove an anti-crypto mining feature called Lite Hash Rate from its GPUs. Next, Lapsus$ demanded that the company release certain drivers for its chips.
“The focus on cryptocurrency mining suggests that the group may eventually become financially driven, but they certainly take a different approach than other groups when asking for financial rewards,” said Peh of Digital Shadows.
This post The Lapsus$ Hacking Group is off to a chaotic start
was original published at “https://www.wired.com/story/lapsus-hacking-group-extortion-nvidia-samsung”
