Lapsus Ransomware Gang Continues with High Profile Attacks

The Lapsus ransomware gang only is a new threat group that first appeared in December 2021 but has already started building a name for itself with several high-profile attacks already conducted, the latest being the ransomware attack on GPU giant NVIDIA.

Sensitive Employee Data and Source Code Stolen from NVIDIA

NVIDIA said it detected the attack on February 23, 2021, and announced on February 25 that it was investigating a security incident. The Lapsus (aka Lapsus$) ransomware outfit was soon to take credit and proceeded to publicly leak highly sensitive data stolen prior to file encryption. While NVIDIA did not state exactly what sensitive data the gang obtained in the attack, the Lapsus gang claimed on its Telegram channel that it obtained 1TB of data, which was claimed to include highly sensitive confidential, secret data including proprietary source code for the NVIDIA hash rate limiter of its latest RTX 30-series GPUs, which kicks in they detect Ethereum mining and halves the hash rate.

Among the gang’s demands was for NVIDIA to ditch the hash rate limiter and make all of its GPU drivers open source now and forever, otherwise, the gang will proceed to publish the stolen source code and all silicon, graphics, and computer chipset files for its latest GPUs.

The Rapid Rise of the Lapsus Ransomware Gang

The Lapsus ransomware gang first appeared in December having conducted an attack on the Brazil Ministry of Health, which was followed by further attacks in Brazil including the telecommunications operator Claro and the car rental firm Localiza. In January 2021, the gang targeted the Portuguese media conglomerate Impresa, which is the largest in the country. Impresa owns the main TV channel in the country, SIC, and the weekly newspaper Expresso. The attacks in Portuguese-language-speaking countries have led some security experts to believe that the gang could be operating out of Brazil or elsewhere in South America.

The gang differs in its approach to many ransomware gangs which conduct their attacks purely for financial gain. Lapsus appears to be conducting attacks, at least in part, for kudos within the hacking community and is very public about the attacks it conducts – an approach that is proving troublesome for victims.

Lapsus Ransomware Attacks Cause Brand and Reputation Damage

Lapsus ransomware attacks can be highly damaging for victims, not only causing disruption to business processes but also loss of reputation and brand damage. The attack on Localiza saw the gang redirect the website to PornHub, which was followed by an announcement that they have turned one of the largest car rental companies in South America into a porn site. The attack on Impresa saw websites defaced and ransom notes uploaded to alert all visitors that they had control over Impresa’s Amazon Web Services (AWS) account.

In the Impresa attack, the gang also compromised the Expresso newsletter and sent phishing emails to its subscribers using a lure that the President of Portugal had been murdered. The Expresso Twitter account was also hijacked, and a tweet was sent stating “Lapsus$ is officially the new president of Portugal.”

Rather than simply conducting attacks to extort money, the gang steals data, publishes the data, issues unreasonable demands, hijacks social media accounts, and conducts phishing attacks on customers. Expresso issued a statement on its website (translated from Portuguese) saying, The invasion of a large media group is a source of pride for them and something to brag about with their peers. These entities enjoy illicit entry and sabotage. And this could be in Portugal or any other country.”

Brett Callow, threat analyst at Emsisoft, said the Lapsus ransomware gang appears to be somewhat amateurish and has suggested the gang may consist of individuals who are not experienced cybercriminals.

Defending Against Lapsus and Other Ransomware Attacks

With ransomware one of the biggest threats, it is important for businesses of all sizes to take steps to improve their defenses. Unfortunately, there is no single measure that can be implemented to block attacks. Businesses should ensure they back up their data regularly, test the backups to ensure file recovery is possible, and keep those backups offline. Anti-spam solutions should be implemented to block phishing and malware delivery via email, and MFA should be implemented on email and other accounts. Prompt patching is required to prevent the exploitation of vulnerabilities, vulnerability scans should be regularly conducted, remote access security should be hardened, and unused ports disabled. It is also important to provide regular security awareness training to teach employees how to recognize common threats.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of