Christopher Eaton | January 11th, 2022

Brazil Portugal

An emerging ransomware group, Lapsus$, attacked Portugal-based media giant Impresa, owner of the nation’s largest newspaper and television station, at the dawn of the New Year. The Lapsus$ threat group claimed responsibility for the attack by replacing all Impresa websites with its ransom note (below). Lapsus$ then harassed its victim from Impresa-owned Expresso’s Twitter account, indicating that the ransomware group maintained access to business-critical information, including IT server infrastructure, despite restoration of some of the previously affected services.

Lapsus$ Ransom NoteThe ransomware group disclosed in its ransom note that it gained credentialed access to Impresa’s AWS account—likely through spear-phishing. Information regarding a ransom payment or the dissemination of the compromised data has not been publicized; however, it does appear that Lapsus$ currently retains some business-critical information.

The breach of Impresa comes just weeks after Lapsus$ executed a ransomware attack against Brazil’s health ministry. In this attack, the threat group claims to have exfiltrated and subsequently deleted approximately 50TB of data, including COVID-19 vaccination records on millions of Brazilian citizens. The Ministry of Health responded that it does maintain a backup of all reportedly stolen data.

After the cyberattack against Brazil’s health ministry, Lapsus$ claimed responsibility for breaching Brazilian telecommunications company Claro. Cyware reported that this attack netted some 10,000TB of data. Given the closeness of the various attacks and the nature of the victims, Lapsus$ gives every appearance of being financially motivated. The ransomware group has even created its own Telegram channel to both shame victims and leak information as part of its extortion plan. Thus far, Lapsus$ has only taken responsibility in attacking businesses in Portuguese-speaking countries and, given the “Brazilian Portuguese dialect” present in their ransom note, threat researchers think the group is likely Brazil-based. The specific malware utilized by Lapsus$ remains unclear.

All indications are that the Lapsus$ ransomware group is gaining access to its victims’ networks through cloud-based servers and applications—particularly AWS and VMware vCenter—after gaining credentials through phishing expeditions. Given the aggressive and malicious nature of threat actors, it is more vital than ever to maintain a deep understanding of the current threat landscape. The team at SpearTip is dedicated to not only understanding the threat landscape but also staying several steps ahead of even the most sophisticated threat groups. Our certified engineers at our global network of Security Operations Centers work in a continuous investigative cycle monitoring partner endpoints for potential threats with the aid of our ShadowSpear Platform. With our future-proof software and industry experts working in tandem, our partners receive the most effective protection, detection, and response against any threat from any ransomware group.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.