The Lapsus$ ransomware gang took down Portugal’s largest media conglomerate, Impresa Group, in a devastating ransomware attack that began over New Year’s weekend.
The incident affected the company’s online computing server infrastructure, shutting down all websites belonging to Impresa, the country’s most popular weekly Expresso, and SIC television stations.
The Lapsus Group also left a ransom note claiming that they gained access to Impresa’s Amazon Web Services account, according to at Recorded Future. The threat intelligence firm reported that the ransomware gang claimed responsibility by defacing all Impresa websites with a ransom note written in Portuguese.
Impresa Media tries to recover from Lapsus$ ransomware attack
The country’s largest newspaper and TV channel remained unavailable after the New Year’s weekend ransomware attack. Although the media company’s cable remained operational, the ransomware attack disrupted Impresa Group’s streaming capabilities.
“Business downtime equates to lost revenue in one form or another, which is an immediate byproduct of ransomware,” said Nasser Fattah, North America Steering Committee Chairman. , Shared ratings. “Hence the importance of running ransomware tabletop exercises not only to best prepare for an attack, but also to incentivize the business to better understand the financial impact of system failures.”
The media giant reportedly regained control of the Amazon Web Services account and put all websites into maintenance mode. However, the ransomware gang used one of the media company’s verified Twitter accounts to tweet that they still had access to Impresa’s systems.
Other Portuguese media also reported the ransomware attack. The Observador newspaper confirmed the incident on Twitter.
The Observer’s Journal reported that subscribers to the SIC-owned Opto streaming platform received text messages from the hacking group that read, “We are announcing Lapsus $ as President of Portugal.” Subscribers to the Expresso newsletter also received an SMS from the ransomware group claiming responsibility for the attack.
Additionally, the newspaper reported that the Impresa group would file a criminal complaint and was working with the Judicial Police and the National Cyber Security Center (NCSC). The NCSC told Observador it was in direct contact with the media company. The agency said it was trying to understand the attack vector and support the company.
In response to the attack, Impresa described the incident as an attack on media freedom in Portugal in the digital age.
However, the media company refused to disclose the amount demanded by the Lapsus$ ransomware gang. Lapsus$, however, claimed that it would release the stolen data if the media company did not meet its ransom demands.
Although this is the first Lapsus$ ransomware attack against Portugal, the group seems to be interested in Portuguese-speaking countries. The group was responsible for a ransomware attack against the Brazilian Ministry of Health on December 10, 2021. The ransomware gang exfiltrated and deleted 50 terabytes of COVID-19 data. Lapsus$ also claimed responsibility for another attack on Brazilian telecommunications operator Claro, although the company did not acknowledge the attack.
Perceived interest in Brazil and Portugal suggests that the ransomware group is made up of Portuguese-speaking members. However, the Brazilian technology site TecMundo reported that Lapsus consisted of a Spaniard and several Colombians.
According to Portuguese authorities, the ransomware attack against Impresa is the largest in the country’s history. The attack also follows another suspected ransomware attack on Norwegian media giant Amedia which runs more than 90 publications.
“Being able to continuously validate people, processes and technologies will always be challenging,” said Elizabeth Wharton, vice president of operations, SCYTHE. “Ransomware gangs like Lapsus$ can use the same tactics, techniques, and procedures (TTPs) to carry out their attacks, or they can reorder TTPs to fly under the radar. Companies need to continuously test their controls with threat intelligence, like news of this attack, to protect their business interests.
