[BreachExchange] Nvidia strikes back at ransomware gang
Terrell Byrd
terrell.byrd at riskbasedsecurity.com
Mon Feb 28 11:42:21 EST 2022
https://www.crn.com.au/news/nvidia-strikes-back-at-ransomware-gang-576607
Nvidia in recent days launched a retaliatory strike against the Lapsus$
ransomware gang to prevent the release of the chipmaker’s stolen data, the
ransomware group claimed.
“EVERYONE!!! NVIDIA ARE CRIMINALS!!!!!!!!! SOME DAYS AGO A ATTACK AGAINST
NVIDIA AND STOLE 1TB OF CONFIDENTIAL DATA!!!!!! (sic),” the Lapsus$
operator posted to their public Telegram channel. “TODAY WOKE UP AND FOUND
NVIDIA SCUM HAD ATTACKED **THE** MACHINE WITH RANSOMWARE…….”
Screenshots from the publicly accessible Lapsus$ Telegram channel were
shared on Twitter by multiple security researchers including Emsisoft
threat analyst Brett Callow and cybersecurity enthusiast Soufiane Tahiri.
It is unclear when exactly these messages were posted, and Lapsus$’s
Telegram channel was inaccessible Saturday afternoon due to the alleged
posting of pornographic content, Callow told CRN.
Nvidia did not immediately respond to a CRN request for comment Saturday,
but said Friday, “We are investigating an incident. Our business and
commercial activities continue uninterrupted. We are still working to
evaluate the nature and scope of the event.”
Lapsus$ said on Telegram that accessing the VPN of Nvidia employees
requires a PC to be enrolled in mobile device management (MDM), according
to screenshots posted to Twitter. For this reason, Nvidia was able to
connect to a virtual machine that Lapsus$ uses, according to the ransomware
operator.
Nvidia was able to successfully encrypt Lapsus$’s data, but the ransomware
group said it had a backup, meaning that its data was “safe from scum!!!”
Lapsus$ asserted that it wasn’t hacked by a competing ransomware group.
“LUCKILY IT HAD A BACKUP BUT WHY THE F*** THEY THINK THEY CAN CONNECT TO
THE PRIVATE MACHINE AND INSTALL RANSOMWARE!!!!!!!!!!!” Lapsus$ posted on
Telegram.
Hacking back is not common but has certainly happened before, Callow told
CRN. Dropping ransomware on an attacker’s network can prevent the
ransomware group from leaking whatever victim data they exfiltrated,
according to Callow.
Prior to being hacked themselves, the Lapsus$ ransomware group leaked the
credentials of Nvidia employees and said they would soon release one
terabyte of stolen data, according to screenshots shared on Twitter by
cybersecurity monitoring group DarkTracer. Lapsus$ claimed to have shared
the password hashes from all Nvidia employees and said it would soon leak
data about the RTX GPUS.
“We are not sure how we will leak the data yet,” Lapsus$ wrote on Telegram,
according to screenshots shared early Saturday morning by DarkTracer. “We
think it will be in 5 different releases, its very large [sic].”
Lapsus$ said it would ensure Nvidia’s data isn’t leaked if the company
contacted the ransomware group by email and paid an unspecified fee.
Lapsus$ said it was expecting initial contact from Nvidia on or before
Friday, according to screenshots shared by DarkTracer.
The Lapsus$ ransomware gang is relatively new, but just last month knocked
the websites of one of Portugal’s biggest newspapers and of a major
broadcaster offline, according to The National. Both the newspaper and the
website are owned by Portugal’s largest media conglomerate Impresa,
according to The National.
In December 2021, Lapsus$ allegedly hacked Brazil’s health ministry website
and took several systems down, including one with information about the
national immunization program and another used to issue digital vaccination
certificates, according to The National.
It’s unclear where Lapsus$ is based or if they have links to other
ransomware gangs, Callow told CRN US, adding that there isn’t anything
particularly unusual about the group.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220228/6d7bcdab/attachment.html>
More information about the BreachExchange
mailing list