Lapsus$ Ransomware: The New Kid on the Cybercriminal Block

Posted by Trevagh Stankard on Tue, Jan 11th, 2022

The new year has only just begun, and the ransomware shenanigans have started. A new variant of ransomware known as Lapsus$ has made its mark, targeting several major organizations, and will likely turn up in more places as the year unfolds. The staggering arrogance of the hacking gang behind Lapsus$ ransomware, known as the Lapsus$ Group is the stuff of legend: the gang sent out a Tweet from one of the affected companies' Twitter accounts announcing that a person called “Lapsus$ was the new president of Portugal”. This tweet was a sinister way to demonstrate the gang's hold over the infrastructure of that organization. Here is some of the latest information on the Lapsus$ ransomware and how it could affect your company.

The Latest on Lapsus$ Afflicted Organizations

According to The Record, the largest media conglomerate in Portugal, Impresa, was a target of the Lapsus$ ransomware over the New Year holiday break. Impresa owns the country's largest TV channel and newspaper, SIC and Expresso. It was the Expresso Twitter account that the hackers used to bait the organization in a show of strength, to demonstrate their control over the company's IT infrastructure. According to The Record, the hacking gang also defaced all the Impresa websites, placing a ransom note (in Portuguese) on the home page of each site. The note also alerted readers that the hacking gang had control over Impresa’s Amazon Web Services (AWS) account.

As well as the takeover of the Expresso Twitter account, the hackers also gained control of the Espresso newsletter, sending out phishing emails to Expresso subscribers telling them that the president of Portugal had been murdered.

This move from pure exploitation of data to social media control has led to a view from Espresso into the motive of the Lapsus$ attack. This motive was revealed in a statement on the company's website: “The invasion of a large media group is a source of pride for them and something to brag about with their peers. These entities enjoy illicit entry and sabotage. And this could be in Portugal or any other country” (translated from Portuguese).

Other targets have also surfaced and include Brazil’s Ministry of Health (MoH) and Brazilian telecommunications operator Claro. The MoH lost 50 TB of data in the attack. The gang also claimed to have deleted the data that held the information needed to issue Covid vaccination certificates.

If Impresa commentators are correct and the Lapsus$ Group is doing this for the kudos, then it is likely that they will continue to target well-known media outlets and large government organizations. Now, the attacks seem to center around Spanish and Portuguese-speaking countries, and subsequently, the ransom message appears in those languages.

How Lapsus$ Ransomware Makes its Mark

Expert analysis, so far, believes that the Lapsus$ Group started the ransomware attack using a phishing email. According to a global survey of Managed Service Providers (MSPs), phishing is behind over half of all ransomware attacks. Phishing is an easy way into corporate networks, with a single download or a click to a website with the entry of login credentials, hackers can begin to infiltrate a network, escalating privileges to the point where they control administration-level accounts. This account access is exploited by Lapsus$ in the form of blatant displays of their control by hacking Twitter and other social media accounts. It is highly likely that this level of showmanship will be lauded by the hackers’ contemporaries and may become part of an ongoing attack profile.

The security industry has noted in the last few years a change of ransomware harms, moving to a double-whammy and even triple-whammy model, extending outside the simple ‘encrypt and ransom’ style attack. In the Lapsus$ attack, which is still under investigation by security experts, the ransomware attackers are not only encrypting and stealing data but playing with extended options including account takeover and control.

What to Expect in Terms of Ransomware in 2022

Ransomware captured the headlines in 2021 with hacking gangs such as REvil and Darkside running amok. Mega attacks on critical infrastructure services such as Colonial Pipeline caused widespread disruption to the company as well as the public. The Lapsus$ Group headline this early in the year is perhaps a taste of things to come. Ransomware is big business for cybercriminals with the average ransom increasing by over 518% in 2021. But there now seems to be a new element being played out, that of bragging rights. If the Lapsus$ attacks are anything to go by, ransomware futures are likely to be more brazen attacks with social media account takeovers and website defacement. All of this has major impacts on brand identity and reputation. This now, ‘quadruple-whammy’ caused by ransomware, includes encryption, data theft, phishing of customers, and social media takeover, and this multi-level attack impact may be here to stay.

Don’t Let Ransomware Spoil Your Year and Your Business

Ransomware is dangerous for any company, not just larger corporates. Hacking gangs make ransomware available as-a-Service (RaaS) using subscription models for payment. All companies, across all sectors, and of all sizes, are at risk of the damage done by a ransomware attack. To protect your organization from the harms of ransomware make sure that you:

• Deploy an anti-spam, anti-phishing email protection platform that can scan inbound emails and detect even advanced threats.
• Use web content filtering to prevent employees from navigating to harmful websites.
• Provide employees with phishing awareness training to raise their awareness against it.
• Enable multi-factor authentication (2FA/MFA) to control access to local and cloud apps.
• Use security awareness training with all staff members to improve security hygiene and help detect phishing emails and social engineering attempts.