Ransomware attacks can take different forms. The more typical approach has been to encrypt data and charge for the ability to decrypt. However, another recent trend is the theft of data from big companies and then threatening to publish it unless a ransom demand is paid. The ransom demand is typically for a large sum of money, and the attacker often insists on being paid in Bitcoin or some other cryptocurrency.
One such purveyor of misery is LAPSUS$, a cybercrime group that has made a reputation for gaining access to large organizations, exfiltrating data, and then threatening to release all the information to the public unless a ransom is paid. What makes LAPSUS$ an interesting group to study is their approach to social engineering and how they directly attack the target organization itself and leverage service providers and partners within the target’s ecosystem as attack vectors.
Clearly enjoying the notoriety, LAPSUS$ publicly posts via a Telegram Channel, which at the time of writing had over 57,000 followers. There is a throwback feel that they’re doing it for “the lulz.”
LAPSUS$ has had success with various attack vectors, including purchasing credentials and session tokens, SIM-swapping to perform account takeovers, and then in a time when many are working from home, they target individual’s personal accounts using them to gain access and pivot to access their corporate accounts. Additionally, these personal accounts are many times used in some form as the second factor of authentication for password recovery. With this information, account recovery and password reset can occur.
One technique that stands out is recruiting insider threats by posting recruiting messages on various social media platforms. In the example below, “WhiteDocBin” is offering $20,000 per week to perform “low risk” inside jobs against one or two of the organization's customers a week. This pushes the idea of the “gig economy’ to an extreme.
Insider threats are a growing cybersecurity concern. They are defined as individuals who have authorized access to an organization’s systems and data but may choose to exploit their access for malicious purposes. Insiders can include current or former employees, contractors, or business partners.
While insiders can exploit their access for a variety of reasons, including financial gain, revenge, or ideology, the most serious threats come from those who may be motivated by personal gain or malice. Insider threats can be challenging to detect, as they often have authorized access to the systems they are targeting and may be familiar with the organization’s security protocols. They may also have access to sensitive data that they can use to harm the organization.