The same group that hit Nvidia claims responsibility
Samsung This week confirmed a breach of its internal computer systems, which may be connected to other high-profile ransomware attacks at Nvidia and the Brazilian Ministry of Health. The group, called Lapsus $, allegedly took source code for Samsung’s flagship Galaxy smartphones. What’s more, the 190 GB data leak from Samsung also apparently involves confidential data from Qualcomm.
Samsung confirmed the intrusion as a “security breach,” but underscored in a statement that no customer or employee data was compromised as a result. The group claimed responsibility on Telegram, the encrypted message service, according to reports – verifying with examples of stolen source code.
The news comes days after Lapsus $ was identified in another breach – this one involving Nvidia Corp. Lapsus $ leaked Nvidia source code online after demanding the company open-source the drivers for its graphics processors and disable a cryptocurrency mining performance limiter.
Ransomware preys on human nature
Improvements to cloud security abound, but ransomware largely depends on human nature to work. Phishing spam is the most frequent vector: An email arrives that looks normal. Once opened, it provides malware access to otherwise restricted files and systems. And once inside, the malware can encrypt files which cannot be unencrypted without the right key, which is only available if the victim pays the fee.
Government agencies are often a target for ransomware attacks as they require immediate access to their files and often lack the coordinated security threat detection and elimination needed to keep ransomware attacks at bay. Indeed, Lapsus $ came to public attention following a targeted attack on the Brazilian Ministry of Health in December. The group claimed to have disrupted the data the ministry used to create digital vaccination certificates, and said it wiped out some Brazilian citizens’ COVID-19 vaccination data in the process. But there’s little if any indication that Lapsus $ is out for anything except money and glory.
Landing whales may explain why Lapsus $ made Portuguese media company Impresa a victim. Lapsus hijacked the company’s web sites and social media accounts, claiming to have gained control over Impresa’s Amazon Web Services (AWS) account. Lapsus $ is also allegedly responsible for ransomware attacks on South American telcos Embratel and Claro. The geographical concentration of attacks and fluency of the notes has led security researchers to think that Lapsus $ is based in Latin America, but little is actually known about them.