Lapsus$'s legacy: new extortion gangs on the rise


Lapsus$ extortion group has largely gone quiet after catching our attention in the first months of 2022, but extortion attacks are here to stay.

The Lapsus$ extortion group made a considerable splash after bragging about attacks against Okta, Globant, Nvidia, and even Samsung.

ADVERTISEMENT

“Even though the breaches at Samsung, Microsoft, and Okta did not have the technical impact we all fear from an incident at companies of that caliber, the disruption was still considerable,” Tenable researcher Claire Tills said.

Even if the gang was just a bunch of script kiddies, opportunistic data thieves such as themselves cause enough disruption to businesses. According to Tills, Lapsus$’s 15 minutes of fame were marked with idiosyncrasies and apparent mistakes.

In her latest blog post, Tills emphasized that Lapsus$ is extortion, not a ransomware group. Ransomware refers to incidents when data-encrypting malware (ransomware) is deployed, and access to those systems is ransomed back to target organizations.

“Extortion groups like Lapsus$ focus on opportunistic data theft and threats to publicly release the stolen data. Occasionally, these groups will also delete the original data,” she said.

While groups like Conti are well-organized, Tills said, Lapsus$ behavior was more immature and impulsive, close to a teenager in a basement stereotype. It turned out that some group members were teenagers from Brazil and the UK.

Lapsus$ group differs from other threat actors in a key way as it does not operate a data leak website.

“The group solely uses its Telegram channel to announce victims, often soliciting input from the broader community on which organization’s data to release next. Compared with the polished, standardized sites of ransomware groups (like AvosLocker, LockBit 2.0, Conti,) these practices come off as disorganized and immature,” Tills said.

ADVERTISEMENT

New players

Lapsus$ might be gone for good (or just laying low for a while,) but extortion attacks aren’t going anywhere.

RansomHouse group has been rising in prominence. Like Lapsus$, it has been categorized by some as a ransomware group, but it does not encrypt data on target networks. Many of its tactics are similar to that of the Lapsus$ group’s; RansomHouse even advertised its activities on the Lapsus$’s Telegram channel,” Tills noted.

Recently, the US government agencies have warned about the Karakurt extortion group.

“Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom,” the advisory reads.

Reported ransom demands have ranged from $25,000 to $13 million in Bitcoin, with payment details typically expiring within a week.

How organizations should respond

“In its analysis of the incident targeting its own systems, Okta points to its adoption of zero trust as a key defense mechanism. The additional authentication steps required to access sensitive applications and data prevented the Lapsus$ group from achieving access that could have had catastrophic impact on Okta and its customers,” Tills said.

Extortion groups seek to compromise active directory (AD) targets for the sake of pivoting their access to higher-privileged users. Therefore, proper AD configuration and monitoring are as critical for stopping extortion as they are for stopping ransomware.

ADVERTISEMENT

“Additionally, these extortion groups are very likely to target cloud environments,” Tills added.

Extortion gangs rely on legacy vulnerabilities that organizations have left unpatched.