LAPSUS$ Group

The LAPSUS$ group (referred to as DEV-0357 by Microsoft) is a loose collective of threat actors unassociated with any particular political group or philosophy. The maxim “no honor among thieves” applies to LAPSUS$ members: they have demonstrated themselves to be unprofessional—even by ransomware gang standards—by failing to honor their promises to destroy stolen data. They also make little effort to cover their tracks or obfuscate their techniques.  

Nevertheless, even a small, chaotic, and unsophisticated group of threat actors can compromise large tech corporations and extort large sums of money. LAPSUS$ is thought to be South American in origin, with many additional members from Portugal and Latin America, although LAPSUS$’s ranks span the globe. 

LAPSUS$ maintains a public profile and communicates regularly via Telegram and emails. Perhaps due to their open nature or lack of an effective technical strategy to conceal themselves, London’s Metropolitan Police Service executed a strategic takedown of seven individuals ranging in age from 16 to 21 believed to be members of LAPSUS$ in March 2022. Only two apprehended individuals were eventually charged, with three counts of unauthorized access to a computer with intent to impair the reliability of data, one count of fraud by false representation, and one count of unauthorized access to a computer with intent to hinder access to data. Ironically, a group behind a website for “doxxing”—publicly revealing personal or sensitive information about an individual or organization—provided information that ultimately led to these arrests, in retaliation for having their public information disclosed. However, the arrests failed to impact LAPSUS$’s operations significantly; the group continues to exploit and publicly release their victims’ data.

LAPSUS$ ransomware differs from other high-profile ransom-based attack strains such as Conti, REvil, and LockBit. While most ransomware attacks employ sophisticated malware to encrypt files, LAPSUS$ attacks involve simple threats of posting stolen data to coerce payments, forgoing traditional malware altogether.

LAPSUS$ gains access to target systems via stolen credentials for remote desktop (RDP), VPN, or cloud services such as Microsoft Office 365 and then proceeds to steal sensitive data. Although LAPSUS$ members may not deploy malware to achieve their goals, they import hacking software tools onto the systems they access and manually extend their initial access through the network to identify high-value data and exfiltrate it.

To combat LAPSUS$’s ability to leverage stolen credentials, implement strict multi-factor authentication and an advanced Zero Trust security solution to prevent unauthorized use of enterprise resources.

Due to the diversity and ad-hoc nature of LAPSUS$’s techniques, no single collection of defensive strategies or mitigations could fully combat LAPSUS$’s offensive approach. Effectively preventing a successful attack depends on a comprehensive approach to enterprise cybersecurity. Core IT security principles such as Defense in Depth, least privilege access, Data Loss Prevention, 24x7x365 monitoring, vulnerability management, red-teaming programs, and continuous improvement of network defenses are all essential parts of an enterprise cybersecurity program.