Ransomware gangs have become well-oiled moneymaking machines in their quest for criminal profit. But since December, a seemingly new group called Lapsus$ has added chaotic energy to the field, cavorting about with a strong social media presence on Telegram, a string of high-profile victims—including Samsung, Nvidia, and Ubisoft—calamitous leaks, and dramatic accusations that add up to a reckless escalation in an already unlawful industry.
What makes Lapsus$ noteworthy, too, is that the group isn’t really a ransomware gang. Instead of exfiltrating data, encrypting target systems, and then threatening to leak the stolen information unless the victim pays up, Lapsus$ seems to exclusively focus on the data theft and extortion. The group gains access to victims through phishing attacks, then steals the most sensitive data it can find without deploying data-encrypting malware.
“It’s all been quite erratic and unusual,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “My sense is that they are a talented but inexperienced operation. Whether they will seek to expand and bring on affiliates or keep it small and lean remains to be seen.”
Lapsus$ emerged just a few months ago, at first focused almost exclusively on Portuguese-language targets. In December and January, the group hacked and attempted to extort Brazil’s health ministry, the Portuguese media giant Impresa, the South American telecoms Claro and Embratel, and Brazilian car rental company Localiza, among others. In some cases, Lapsus$ also mounted denial-of-service attacks against victims, making their sites and services unavailable for a period of time.
Even in those early campaigns, Lapsus$ got creative; it set Localiza’s website to redirect to an adult media site for a couple of hours until the company could revert it.
As the attackers have ramped up and gained confidence, they’ve expanded their reach. In recent weeks, the group has hit Argentine ecommerce platforms MercadoLibre and MercadoPago, claims to have breached the British telecom Vodafone, and has begun leaking sensitive and valuable source code from Samsung and Nvidia.
“Remember: The only goal is money, our reasons are not political,” Lapsus$ wrote in its Telegram channel in early December. And when the group announced its Nvidia breach on Telegram at the end of February, it added, “Please note: We are not state sponsored and we are not in politics AT ALL.”
Researchers say, though, that the truth about the gang’s intentions are more murky. Unlike many of the most prolific ransomware groups, Lapsus$ seems to be more of a loose collective than a disciplined, corporatized operation. “At this point it’s difficult to say with certainty what the group’s motivations are,” says Xue Yin Peh, a senior cyber-threat intelligence analyst at the security firm Digital Shadows. “There are no indications yet that the group uses ransomware to extort victims, so we can’t confirm that they’re financially motivated.”
Lapsus$ breached Nvidia in mid-February, stealing 1 terabyte of data, including a significant amount of sensitive information about the designs of Nvidia graphics cards, source code for an Nvidia AI rendering system called DLSS, and the usernames and passwords of more than 71,000 Nvidia employees. The group threatened to release more and more data if Nvidia didn’t meet a series of unusual demands. At first the gang told the chipmaker to remove an anti-crypto-mining feature called Lite Hash Rate from its GPUs. Then Lapsus$ demanded that the company release certain drivers for its chips.
“The focus on cryptocurrency mining suggests that the group may ultimately be financially driven, however they are certainly taking a different approach than other groups in soliciting financial rewards,” Digital Shadows’ Peh says.