![](\"https:\/\/media.wired.com\/photos\/62294a44e9f8d17d4c9f815b\/master\/pass\/Lapsus$%20Extortion%20Group-Security.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Lily Hay Newman| Date: Tue, 15 Mar 2022 17:04:04 +0000<\/strong><\/p>\n Lily Hay Newman<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n Ransomware gangs have<\/span> become well-oiled moneymaking machines<\/a> in their quest for criminal profit. But since December, a seemingly new group called Lapsus$ has added chaotic energy to the field, cavorting about with a strong social media presence on Telegram<\/a>, a string of high-profile victims\u2014including Samsung, Nvidia, and Ubisoft\u2014calamitous leaks, and dramatic accusations that add up to a reckless escalation in an already unlawful industry<\/a>.<\/p>\n What makes Lapsus$ noteworthy, too, is that the group isn't really a ransomware gang. Instead of exfiltrating data, encrypting target systems, and then threatening to leak the stolen information<\/a> unless the victim pays up, Lapsus$ seems to exclusively focus on the data theft and extortion. The group gains access to victims through phishing attacks, then steals the most sensitive data it can find without deploying data-encrypting malware.<\/p>\n \u201cIt\u2019s all been quite erratic and unusual,\u201d says Brett Callow, a threat analyst at the antivirus company Emsisoft. \u201cMy sense is that they are a talented but inexperienced operation. Whether they will seek to expand and bring on affiliates or keep it small and lean remains to be seen.\u201d<\/p>\n Lapsus$ emerged just a few months ago, at first focused almost exclusively on Portuguese-language targets. In December and January, the group hacked and attempted to extort Brazil\u2019s health ministry, the Portuguese media giant Impresa, the South American telecoms Claro and Embratel, and Brazilian car rental company Localiza, among others. In some cases, Lapsus$ also mounted denial-of-service attacks against victims, making their sites and services unavailable for a period of time.\u00a0<\/p>\n Even in those early campaigns, Lapsus$ got creative; it set Localiza's website to redirect to an adult media site for a couple of hours until the company could revert it.\u00a0<\/p>\n As the attackers have ramped up and gained confidence, they've expanded their reach. In recent weeks, the group has hit Argentine ecommerce platforms MercadoLibre and MercadoPago, claims to have breached the British telecom Vodafone, and has begun leaking sensitive and valuable source code from Samsung and Nvidia.\u00a0<\/p>\n \u201cRemember: The only goal is money, our reasons are not political,\u201d Lapsus$ wrote in its Telegram channel in early December. And when the group announced its Nvidia breach on Telegram at the end of February, it added, \u201cPlease note: We are not state sponsored and we are not in politics AT ALL.\u201d<\/p>\n Researchers say, though, that the truth about the gang's intentions are more murky. Unlike many of the most prolific ransomware groups<\/a>, Lapsus$ seems to be more of a loose collective than a disciplined, corporatized operation. \u201cAt this point it's difficult to say with certainty what the group\u2019s motivations are,\u201d says Xue Yin Peh, a senior cyber-threat intelligence analyst at the security firm Digital Shadows. \u201cThere are no indications yet that the group uses ransomware to extort victims, so we can\u2019t confirm that they\u2019re financially motivated.\u201d<\/p>\n \u201cThis group operates on street cred and clout.\u201d<\/p>\n Charles Carmakal, Mandiant<\/p>\n Lapsus$ breached Nvidia in mid-February, stealing 1 terabyte of data, including a significant amount of sensitive information about the designs of Nvidia graphics cards, source code for an Nvidia AI rendering system called DLSS, and the usernames and passwords of more than 71,000 Nvidia employees. The group threatened to release more and more data if Nvidia didn't meet a series of unusual demands. At first the gang told the chipmaker to remove an anti-crypto-mining feature called Lite Hash Rate from its GPUs. Then Lapsus$ demanded that the company release certain drivers for its chips.<\/p>\n \u201cThe focus on cryptocurrency mining suggests that the group may ultimately be financially driven, however they are certainly taking a different approach than other groups in soliciting financial rewards,\u201d Digital Shadows' Peh says.<\/p>\n In a tumultuous turn, Lapsus$ also accused Nvidia of \u201chacking back\u201d\u2014lashing out against the group in retaliation for the attacks. A source close to the Nvidia incident disputed the claims, though, telling WIRED that the company did not hack back or deploy malware against Lapsus$.<\/p>\n \u201cIt's difficult to say. The only source we've had for it is the ransomware group themselves,\u201d says independent security researcher Bill Demirkapi of the claims. \u201cThe explanation they gave for how Nvidia hacked back does make sense, but I always take such statements with a grain of salt, because Lapsus$ has an incentive to make Nvidia look as bad as possible.\u201d<\/p>\n Nvidia said in a statement that it learned about the breach on February 23 and quickly \u201cfurther hardened our network, engaged cybersecurity incident response experts, and notified law enforcement.\u201d The company acknowledged that the attackers stole employee authentication credentials and some proprietary data.<\/p>\n In a blithe, even rash move, Lapsus$ also included two sensitive Nvidia code-signing certificates in its leaks. Other attackers quickly abused them to make their malware look more authentic and trustworthy in certain scenarios.\u00a0<\/p>\n \u201cThis group operates on street cred and clout,\u201d says Charles Carmakal, senior vice president and chief technical officer of the cybersecurity firm Mandiant. \u201cThey're bragging to their friends, and if they get money, they'll take it, but money doesn't seem to be the sole or even primary driver. So a victim company that wants to negotiate with them and may think about paying them likely won\u2019t get the outcome they\u2019re hoping for.\u201d<\/p>\n That thirst for notoriety makes Lapsus$ particularly reckless and disruptive. While they don\u2019t encrypt systems, Lapsus$ has deleted files and virtual machines, and generally caused \u201ca whole lot of chaos,\u201d as Carmakal puts it.<\/p>\n Just a few days after it began leaking Nvidia data, Lapsus$ also announced that it had stolen 190 gigabytes of data from Samsung, including boot-loader source code and algorithms for the Galaxy smartphone line's biometric authentication system. Samsung confirmed<\/a> last week that it suffered a breach.<\/p>\n