top of page
  • Writer's pictureFYEO

Ransomware Group Deep Dive: LAPSUS$


Ransomware groups are an insidious threat to businesses of all sizes and industries, launching attacks on targets worldwide. The LAPSUS$ ransomware group is a relatively new player in the field of ransomware gangs that has already distinguished itself in multiple ways, including its membership, targets, and methods of attack. So what should you know about the LAPSUS$ ransomware group, and how can you best protect yourself?

What Is the LAPSUS$ Ransomware Group?

LAPSUS$ (also spelled Lapsus$) is a cybercriminal gang and ransomware group that first appeared in December 2021. Security researchers believe that many ransomware gangs (such as DarkSide, Clop, and REvil) have Russian-speaking members or ties to countries of the former Soviet Union. However, LAPSUS$ may have members worldwide, including in the United Kingdom and Brazil.

The LAPSUS$ ransomware group is also noteworthy for its choice of communication method. Most ransomware gangs limit themselves to sites on the Dark Web. However, LAPSUS$ maintains a channel on the messaging service Telegram, which is visible to anyone who downloads the Telegram mobile app. Here, the LAPSUS$ hackers boast of their recent attacks, post leaked data, and provide their own perspective on media coverage of their work.

Despite its meteoric rise, the fate of the LAPSUS$ ransomware group is up in the air. In March 2022, British police arrested a 16-year-old allegedly connected to the group. The teenager's identity had apparently been leaked on the website of a rival hacking group after the two parties had a falling out.

However, researchers believe that the LAPSUS$ group has members in other countries, including Brazil. In October 2022, Brazilian authorities made a "key arrest" of the group's "main Brazilian suspect."

LAPSUS$ Cyberattacks

Since its inception, LAPSUS$ has racked up several attacks on the world's biggest tech companies, including:

  • February 2022: LAPSUS$ hacked into the networks of the GPU manufacturer NVIDIA, stealing almost one terabyte of data. The attackers also made demands of NVIDIA, such as making their GPU driver code open-source.

  • March 2022: LAPSUS$ hackers breached the Microsoft network by compromising a user's account. The attackers later posted a torrent containing the partial source code of Microsoft products such as Bing and Cortana.

  • September 2022: Uber stated that it believed its recent hack was the work of LAPSUS$ due to the hacking technique (bypassing two-factor authentication on the account of one of the company's third-party contractors). Uber later said the hacker had not accessed user accounts or sensitive information.

LAPSUS$ has also pulled off several ransomware attacks, such as hacking into the Brazilian Ministry of Health in December 2021 and encrypting the COVID-19 vaccination data of millions of people. However, LAPSUS$ is notable among ransomware gangs because ransomware is not always a key component of the group's attacks. The hackers often demand payment through other methods, such as by threatening to leak the victim's stolen data.

How Does LAPSUS$ Ransomware Work?

Little data is available on the strain of ransomware that LAPSUS$ used in its December 2021 attack on Brazil's Ministry of Health. Much more information is available on the group's high-profile activities, such as when targeting major tech companies. Ransomware does not appear to be a significant modus operandi for LAPSUS$, which means that the gang might be more accurately called an "extortion group" or "attack group."

Nevertheless, some of the techniques used by LAPSUS$ hackers resemble those of ransomware gangs. LAPSUS$ hackers gain initial access to their targets' networks through means such as:

  • Social engineering, bribing or tricking employees at the target company or its partners.

  • Malware, such as the RedLine password stealer, spies on users as they enter their account names and passwords into a web browser.

  • Buying credentials from initial access brokers and other Dark Web criminals.

Once inside the network, LAPSUS$ hackers engage in reconnaissance, lateral movement, and privilege escalation, attempting to hide their activities. The techniques used here include exploiting unpatched vulnerabilities in software such as JIRA and GitLab and even calling the company's help desk to convince them to reset a user's login credentials.

How to Protect Yourself from LAPSUS$ Ransomware

To protect yourself from the LAPSUS$ ransomware group, follow IT security best practices such as:

  • Educating users on phishing attacks and social engineering techniques.

  • Using strong passwords and multi-factor authentication for all logins.

  • Strengthening your cloud security posture and monitoring activity in the cloud.

  • Installing antivirus and anti-malware tools that can detect suspicious behaviors.


Here's what you need to know about the LAPSUS$ ransomware group:

  • First appearing in December 2021, LAPSUS$ is a cybercriminal and ransomware gang with members believed to be in the United Kingdom and Brazil.

  • LAPSUS$ has executed multiple high-profile attacks on major tech companies such as Microsoft, Uber, and NVIDIA.

  • Recent arrests of suspects have put the fate of LAPSUS$ in doubt, although the group seems to have been active as recently as September 2022.

Cybercriminal gangs such as LAPSUS$ target businesses with confidential and valuable information. To prevent your own company from being the victim of an attack, it's essential to perform regular Dark Web threat monitoring.

FYEO's Domain Intelligence (DI) platform is a powerful solution for threat intelligence. We continually monitor the Dark Web for mentions of your brand, domain(s) and employees. If we find a match between your private information and a Dark Web site, we'll issue an alert immediately so that you can take steps to strengthen your security.

Want to learn more? Get in touch with us today to request a demo of FYEO Domain Intelligence.


bottom of page