Lapsus$ faked its status as a ransomware group and grossly exaggerated the scale of its attacks, according to fresh data released today by cybersecurity analyst Digital Shadows.
“While Lapsus$ claimed to have used ransomware in its early attacks, there was no evidence of the group ever using any encrypting malware,” said the report, which went on to cite research by Microsoft indicating it relied instead on social engineering techniques and credential harvesting to exfiltrate data.
Moreover, the group – believed to include teenagers arrested in the UK last month – made inflated claims about its criminal prowess, for instance boasting of stealing 1TB of data from NVidia in February when in fact it only obtained 18.8GB.
Though the data leak was still substantial, it was more than fifty times less than the haul initially claimed by the group.
“Lapsus$ became so frustrated with users asking for the Nvidia ‘Part Two’ breach that it became a rule in their Telegram [chat] to ‘stop asking about Nvidia’,” Digital Shadows noted. This rule was stipulated on the group’s forum along with others saying, “no porn” and “not too much trolling.”
“Although Lapsus$ is certainly a threat group who should be taken seriously, they are also a good example of how some threat actors may exaggerate their attacks to make them appear bigger than they actually are,” said Digital Shadows.
Ransom groups fearful
Meanwhile, the real ransomware groups have begun shifting their focus away from “big-game hunting” and are going after smaller targets, with the FBI reporting that mid-sized firms in the US are at increased risk. And cyber watchdogs in the UK and Australia have reported “threats from ransomware targeting organizations of all sizes.”
It is thought the reason behind this shift is that ransomware groups are more fearful of reprisals from the authorities in the wake of Russia’s high-profile – and in the light of its subsequent invasion of Ukraine now inexplicable – bust of the REvil ransomware group in January.
“While big-game hunting can result in the highest payouts for ransomware groups, it also comes with many risks,” said Digital Shadows. “As we have seen with attacks such as Colonial Pipeline by DarkSide and Kaseya [by] REvil, attacks against high-profile targets attract the attention of law enforcement and the media.
“By avoiding attacks that draw too much attention, ransomware groups can guarantee longer longevity and less risk to operators and affiliates.”
Further evidence of this new timorousness among gangs emerged from Digital Shadows’ scrutiny of data supplied by the cybercriminals themselves.
“In this past quarter, we observed 582 organizations being named on ransomware leak sites,” it said, adding that this figure marked a 25.3% slump from the last three months of 2021.
“This decrease was caused by a lower number of victims posted to data-leak sites of large ransomware gangs,” said Digital Shadows, citing as an example Conti, which saw a 31.8% decrease in its number of victims. The Russian-affiliated outfit is thought to have suffered at the hands of a Ukrainian defector, after it publicly announced its support of Vladimir Putin’s declaration of war in February.
… but still in business
Despite this reversal of fortunes, Conti remained one of the most active ransomware groups for the quarter, along with its chief rival Lockbit 2.0, with both gangs accounting for 57.8% of such crimes during the period. But if anything, this merely reinforces that most if not all ransom hunters are feeling the pinch of late.
In terms of businesses targeted, industrial firms accounted for a fifth of all attacks, followed by the financial services sector (7%), and construction companies (6.5%). And the US retained the dubious honor of being the primary country of choice for ransom gangs, with nearly four in ten attacks being directed at organizations on its soil. A distant second place went to the UK, which reported more than five times fewer victims than its transatlantic cousin.
More from Cybernews:
Subscribe to our newsletter