Ransomware Gangs: Lapsus$

In September of this year, the ride-share company Uber suffered a cyberattack where a threat actor infiltrated the organization’s internal systems. The culprit, who was a threat actor affiliated with the Lapsus$ extortion group, heavily relied on social engineering techniques in the incident.

Since March, the group has been carrying out attacks and making headlines for the damage they’ve caused. This article will discuss Lapsus$ and analyze the important cybersecurity details from previous attacks.

The Origin of Lapsus$

Lapsus$ first made headlines in 2021 after threat actors hit several multi-billion-dollar companies, including Uber, Nvidia, T-Mobile, and Samsung. Unlike many established and professional gangs, most of which rely on ransomware, Lapsus$ is a data extortion gang that steals data from a company and then makes a profit from threatening to reveal this stolen information. Ransomware installation to encrypt systems or files are not present in these attacks and instead of running a dark leak site, Lapsus$ operates via messaging app Telegram. 

In an official release, NVidia stated that they became aware of “a cyber security incident, which impaRed word "Ransomware" hidden in the middle of a binary code sequence.cted IT resources.” The group took responsibility and requested Nvidia remove its lite hash rate (LHR) feature and open-source its GPU drivers for macOS, Windows, and Linux devices. NVidia failed to meet the demands, and Lapsus$ threatened to publish their source code, which is used in drivers and firmware. In March, they published nearly 190GB of sensitive data obtained from Samsung.

The group first published a snapshot of C/C++ instructions on Samsung’s software followed by a description of the leak, stating that it included Samsung´s confidential source code. Samsung confirmed that almost 200 GB of confidential data which includes source code for various technologies and algorithms for biometric unlock operations had been breached.

Since then, a 16-year-old from Oxford has been accused of being one of the leaders and is alleged to have accumulated $14m (£10.6m) after being named by rival hackers and researchers.

How Lapsus$ Operates

Research from this past March uncovered how Lapsus$ and how it was able to breach some of the largest international organizations. The research found that Lapsus$ uses social engineering and extortion campaigns, and operates on a pure extortion and destruction model. The same research found that the attack methods used by Lapsus$ varied, some were elaborate, and some were used less frequently than other, more mature threat actors.

Social Engineering and Initial Access

The social engineering tactics provided hackers with knowledge of employees and companies. The goal of the group is to gain elevated access to businesses through stolen credentials that enable data theft and destructive attacks. The group called help desks and convinced them to reset account credentials after learning how they work, before dropping into crisis communication channels on platforms such as Slack and Teams.

This required the hackers to breach a company to understand how they responded to a security incident, responding in a way that helped them evade detection. Lapsus$ achieves initial access through a variety of methods, such as deploying the Redline password stealer and searching for exposed credentials, buying credentials through initial access brokers, or directly paying company employees for access, a tactic they advertised on Telegram.

Harvesting Data and Extortion Tactics

Research showed that Lapsus$ also used virtual private networks (VPNs) in a way that proved the criminals understood how cloud monitoring services detect suspicious activity. The group also created virtual machines on victims’ cloud infrastructure to launch further attacks before locking the business out of its cloud platform altogether. Once Lapsus$ overpowered the targeted business, it would ensure all of the organization's inbound and outbound email was forwarded to its infrastructure, where it would compromise as much data as possible before deleting systems and resources. In some cases, Lapsus$ would then either extort the victims to prevent the release of the data or post it online publicly.

Preventing An Attack

Cyber security systems for business networkIt is not always possible to prevent an attack, however, adopting best practices and investing in a proactive, fully-managed email security solution can drastically reduce your risk. Some basic tips for preventing a ransomware attack include:

  • Think before you click, make sure you have confirmed the legitimacy of an email before downloading any attachments it contains.
  • Make sure your OS is patched and updated, reducing the chance of vulnerabilities existing that criminals could exploit.
  • Backup your files frequently and automatically. This won’t prevent a ransomware attack, but it can reduce the damage caused by one. Be aware that backups are not foolproof: ransomware may sit idle for weeks until it is triggered, potentially destroying backups.
  • Invest in a comprehensive, proactive cloud email security solution that accurately detects malicious emails and prevents them from reaching the inbox.

With proper preparation, you can drastically lower the cost and impact of a ransomware attack. Adopting the following best practices can reduce an organization’s exposure to ransomware and minimize potential damage.


Training your staff is the most rudimentary action you can take to prepare for a ransomware attack. Knowing what to look for when a malicious file appears in their inbox and end-user training are key first steps in protecting sensitive data. However, in order to be effective it must also be continuous so it is critical that you run frequent phishing tests and ensure that employees are alert, aware, and knowledgeable. 

Email Security

When it comes to cybersecurity, solutions must be layered to ensure the most coverage. A multi-layered approach is essential in preventing ransomware as cyberattacks continue to grow more sophisticated, as should the tools that prevent them. Having multiple tools in place, like email security gives your organization a holistic defense ready to prevent ransomware.

Multi-Factor Authentication

MFA confirms a user’s identity with the use of a combination of factors, with the most common one being their credentials, and the second being a limited-time one-time password (OTP), biometric, or key card. MFA can most easily be understood as something you know and something you have. This additional authentication reduces unauthorized access as the attacker needs all three pieces of required information during authentication.


Data backups enable an organization to recover from an attack with a minimum of data loss and without paying a ransom. Performing route backups are important for preventing data loss, as well as being able to recover in the event of corruption or disk hardware malfunction. Functional backups can also help organizations recover from ransomware attacks.

Lapsus$ Vs. Uber

Lapsus$ Uber news headlineThis past September, Uber Technologies Inc disclosed that a hacker affiliated with the Lapsus$ hacking group was responsible for a cyber attack that forced the company to temporarily shut down several internal communications.

Uber also said that the attacker had not accessed any user accounts or databases that store sensitive user information, such as credit card numbers, bank accounts, or trip details. "The attacker accessed several internal systems, and our investigation has focused on determining whether there was any material impact," Uber said.

It was later confirmed that a hacker compromised an employee's account on Slack and used it to send a message to Uber employees announcing that the company had suffered a data breach. Cybersecurity has been an issue for Uber in the past, as the company suffered a significant hack in 2016 that exposed the personal information of roughly 57 million customers and drivers.

Keep Learning

Two things are known about Lapsus$, no target is too big or influential to be out of reach and the demands may be just as difficult to predict. To keep your IT infrastructure secure, ensure your network security gateways and your endpoint device security solutions are updated with the appropriate protection against stolen certificates.

  • Prepare your business for cyberattacks to make sure employees stay safe online.
  • Improve your email security posture by following best practices to protect against attacks and breaches.
  • Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
  • Learn more about the consequences of modern phishing attacks in our Phishing eBook.

Must Read Blog Posts

Latest Blog Articles