LAPSUS$ Group

Who Is the LAPSUS$ Group?

The LAPSUS$ group (referred to as DEV-0357 by Microsoft) is a loose collective of threat actors unassociated with any particular political group or philosophy. The maxim “no honor among thieves” applies to LAPSUS$ members: they have demonstrated themselves to be unprofessional—even by ransomware gang standards—by failing to honor their promises to destroy stolen data. They also make little effort to cover their tracks or obfuscate their techniques.  

Nevertheless, even a small, chaotic, and unsophisticated group of threat actors can compromise large tech corporations and extort large sums of money. LAPSUS$ is thought to be South American in origin, with many additional members from Portugal and Latin America, although LAPSUS$’s ranks span the globe. 

LAPSUS$ maintains a public profile and communicates regularly via Telegram and emails. Perhaps due to their open nature or lack of an effective technical strategy to conceal themselves, London’s Metropolitan Police Service executed a strategic takedown of seven individuals ranging in age from 16 to 21 believed to be members of LAPSUS$ in March 2022. Only two apprehended individuals were eventually charged, with three counts of unauthorized access to a computer with intent to impair the reliability of data, one count of fraud by false representation, and one count of unauthorized access to a computer with intent to hinder access to data. Ironically, a group behind a website for “doxxing”—publicly revealing personal or sensitive information about an individual or organization—provided information that ultimately led to these arrests, in retaliation for having their public information disclosed. However, the arrests failed to impact LAPSUS$’s operations significantly; the group continues to exploit and publicly release their victims’ data.

What Is LAPSUS$ Ransomware?

LAPSUS$ ransomware differs from other high-profile ransom-based attack strains such as Conti, REvil, and LockBit. While most ransomware attacks employ sophisticated malware to encrypt files, LAPSUS$ attacks involve simple threats of posting stolen data to coerce payments, forgoing traditional malware altogether.

LAPSUS$ gains access to target systems via stolen credentials for remote desktop (RDP), VPN, or cloud services such as Microsoft Office 365 and then proceeds to steal sensitive data. Although LAPSUS$ members may not deploy malware to achieve their goals, they import hacking software tools onto the systems they access and manually extend their initial access through the network to identify high-value data and exfiltrate it.

LAPSUS$ does not use an affiliate model to operate a ransomware-as-a-service (RaaS) to gain initial access; instead, members manage breaches from beginning to end. Their attacks typically employ low-tech hacking techniques such as social engineeringphishing, spear-phishing, and especially vishing—and discovering publicly exposed credentials to gain initial access to valid remote desktop (RDP), VPN, or cloud application accounts. LAPSUS$ is also known for using other techniques such as SIM swapping, working with insider threats, and buying credentials on the Dark Web.

LAPSUS$’s second-stage tactics involve data exfiltration and public extortion, demanding financial compensation to prevent the release of stolen data. This is different from the strategies other high-profile ransomware gangs use that often deploy advanced malware for double extortion—demanding payment to decrypt files and prevent the release of sensitive data. 

For lateral movement, LAPSUS$ exploits known security vulnerabilities in applications such as JIRA, Confluence, and GitLab on the target network, then attempts to extract credentials embedded in source code repositories and use Windows exploitation tools such as AD explorer, DCsync, and Mimikatz. LAPSUS$ also relies on the Redline infostealer malware as a second-stage tactic to discover credentials for other systems on the network and extend their initial foothold laterally to find sensitive data.

Common LAPSUS$ Tactics, Techniques, and Procedures (TT&P)

  • Social engineering, credential theft, and finding publicly exposed credentials through online search
  • Gaining unauthorized access to valid accounts via stolen credentials
  • SIM swapping attacks (AKA, SIM splitting, Smishing, SIMjacking, and SIM swapping) to access a victim’s email to reset account passwords and bypass multi-factor authentication
  • Abusing personal email accounts of victims for personal information and credentials
  • Managed service provider (MSP) and cloud-application compromise with stolen credentials
  • Paying corrupt employees, suppliers, or business partners of target organizations for credentials and MFA tokens
  • Exfiltrating data to LAPSUS$-controlled servers
  • Extortion of victims to prevent the release of stolen data

How to Protect Against LAPSUS$

To combat LAPSUS$’s ability to leverage stolen credentials, implement strict multi-factor authentication and an advanced Zero Trust security solution to prevent unauthorized use of enterprise resources.

Due to the diversity and ad-hoc nature of LAPSUS$’s techniques, no single collection of defensive strategies or mitigations could fully combat LAPSUS$’s offensive approach. Effectively preventing a successful attack depends on a comprehensive approach to enterprise cybersecurity. Core IT security principles such as Defense in Depth, least privilege access, Data Loss Prevention, 24x7x365 monitoring, vulnerability management, red-teaming programs, and continuous improvement of network defenses are all essential parts of an enterprise cybersecurity program.