Notorious, extortion-only LAPSUS$ ransomware group has successfully carried out multiple high-profile attacks on companies such as Microsoft, Samsung and Ubisoft – and this is a threat that isn't going anywhere any time soon, warns Claire Tills, senior research engineer at Tenable.

The LAPSUS$ group, widely reported to consist of teenagers, exploded onto the cyber scene late last year and has become one of the most talked about and notorious online extortion groups after successfully breaching major companies like Microsoft, Samsung, Ubisoft and Okta.

Unlike ransomware operators, the LAPSUS$ group represents a growing breed of extortion-only cybercriminals, focusing exclusively on data theft and extortion by gaining access to victims through tried-and-true methods like phishing, and stealing the most sensitive data it can find without deploying data-encrypting malware. The group jumped into the limelight when it launched an attack against Nvidia in late February. With this breach, LAPSUS$ made its debut onto the global stage and started a brief tear through major technology companies.

LAPSUS$ solely operates through a private Telegram group and doesn’t manage a dark web leak site. It’s through Telegram that the group announces victims, often soliciting input from the broader community on which organisation’s data to release next. Compared with the polished, standardised sites of ransomware groups (like AvosLocker, LockBit 2.0, Conti etc), these practices come off as disorganised and immature, states Tenable.

UNCONVENTIONAL AND ERRATIC
With a string of high-profile targets lying in its wake, the LAPSUS$ group gained notoriety for its unconventional tactics and erratic methods. Early attacks featured distributed denial of service (DDoS) and website vandalism. But, as early as 21 January, the LAPSUS$ group was already engaged in the multi-stage breach that eventually led to the incident at Okta. Throughout that maturation process, the LAPSUS$ group heavily leaned on classic tactics, such as purchasing credential dumps, social engineering help desks and spamming multifactor authentication (MFA) prompts to achieve initial access to target organisations.

“Just like ransomware, extortion attacks aren’t going anywhere until they are made too complicated or costly to conduct,” warns Tenable’s Tills. “Organisations should evaluate what defences they have in place against the tactics used, how they can be hardened and whether their response playbooks effectively account for these incidents. While it may feel easy to downplay threat groups like LAPSUS$, their disruption of major international technology companies reminds us that even unsophisticated tactics can have a serious impact.”