{ "id": "f46c39a1-768a-48aa-9339-9658b29bb349", "created_at": "2026-04-06T00:17:29.745306Z", "updated_at": "2026-04-10T03:35:29.083708Z", "deleted_at": null, "sha1_hash": "558987e87628589287d90d8cae0d76f40e31dcf9", "title": "Brazen, Unsophisticated and Illogical: Understanding the LAPSUS$ Extortion Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 615206, "plain_text": "Brazen, Unsophisticated and Illogical: Understanding the\r\nLAPSUS$ Extortion Group\r\nBy Claire Tills\r\nPublished: 2022-07-20 · Archived: 2026-04-05 21:29:30 UTC\r\nHaving gained the industry’s attention in the first months of 2022, the LAPSUS$ extortion group has largely gone\r\nquiet. What can we learn from this extortion group’s story and tactics?\r\nIn early 2022, the LAPSUS$ group broke onto the scene with flashy and disruptive attacks. While occasionally\r\nlumped in with ransomware groups, LAPSUS$ is an extortion group. What differentiates it from established,\r\nprofessional ransomware groups and what lessons can organizations learn from its tactics to improve their\r\ndefenses?\r\nThe LAPSUS$ group made a considerable splash at the beginning of 2022, but has fallen to ripples among the\r\nbigger waves caused by more established groups like Conti. LAPSUS$’s brief tenure as a leader of cybersecurity\r\nnews cycles was marred by idiosyncrasies and apparent mistakes.\r\nSource: Tenable Research, July 2022\r\nRansomware or extortion?\r\nI noted that LAPSUS$ is an extortion, not ransomware, group. For these purposes, I am being intentionally\r\nspecific with the definition of ransomware. While some cases of extortion involve stealing data and “ransoming”\r\nhttps://www.tenable.com/blog/brazen-unsophisticated-and-illogical-understanding-the-lapsus-extortion-group\r\nPage 1 of 7\n\nit back to organizations, ransomware specifically refers to incidents when data-encrypting malware (ransomware)\r\nis deployed and access to those systems is ransomed back to target organizations.\r\nOver the years, ransomware groups have adopted diverse extortion tactics. To learn about those tactics and other\r\nkey features of the ransomware ecosystem, read Tenable’s report. Extortion groups like LAPSUS$ focus on\r\nopportunistic data theft and threats to publicly release the stolen data. Occasionally, these groups will also delete\r\nthe original data.\r\nWith that distinction established, let’s examine one of the recent prominent names in extortion: the LAPSUS$\r\ngroup.\r\nWho is the LAPSUS$ group?\r\nWhile there are other groups that perform extortion-only attacks, the LAPSUS$ group broke onto the scene in a\r\nbig way at the end of 2021 and brought this type of threat group to the forefront.\r\nLAPSUS$’s official career began in December 2021 with attacks against companies in South America and\r\ncontinued into January with targets in South America and Portugal, likely related to the location of some group\r\nmembers. (While the initial breach of Sitel and subsequent compromise of Okta occurred at the end of January, it\r\nwasn’t publicized for another two months.) In the following months, LAPSUS$ expanded its targets to\r\nmultinational technology companies. This brought the group to the attention of the cybersecurity community at\r\nlarge.\r\nThe LAPSUS$ group solely operates through a private Telegram group and doesn’t manage a dark web leak site\r\nlike other threat groups, limiting the data available for analysis. Nonetheless, many security analysts, researchers\r\nand reporters have examined the information available and developed insights into the group’s characteristics and\r\ntactics.\r\nCommon themes among these analyses include:\r\nLower maturity tactics and behaviors\r\nPriority for clout and notoriety\r\nPrimarily focused on monetary goals\r\nThe theorized goals of money and fame are supported by the group’s transition from targeting companies in South\r\nAmerica to companies with much larger areas of influence, “large scale international technology companies,” as\r\nFlashpoint research puts it. Targeting these companies theoretically could earn cybercriminals higher payouts, and\r\nit absolutely earned the group notoriety.\r\nAs many analysts have pointed out, it is difficult to attribute a singular, monolithic goal — or even confidently\r\ndiscount goals — to such a “loose collective.” LAPSUS$ has vehemently asserted that it is not politically\r\nmotivated or state sponsored and its actions appear consistent with this assertion.\r\nIf ransomware groups like Conti are well-organized operations reminiscent of criminal enterprises depicted in TV\r\nshows and films such as Boardwalk Empire or the Godfather — complete with customer service and human\r\nresources — LAPSUS$ comes off more like the teams in Point Break or Bottle Rocket. Many analysts have\r\nhttps://www.tenable.com/blog/brazen-unsophisticated-and-illogical-understanding-the-lapsus-extortion-group\r\nPage 2 of 7\n\nreferred to its behavior as immature and impulsive, comparing it to the stereotypical “teenager in the basement,”\r\nthe script kiddies.\r\nWhile it’s hard to identify individual members of any cybercrime group, researchers and law enforcement have\r\ntraced LAPSUS$ operations to a few teenagers in Brazil and the U.K. These identifications, subsequent arrests\r\nand apparent silence from the group, seem to align with analysis stating the group is made of “talented but\r\ninexperienced” actors who are “reckless and disruptive.” These traits are based on the observed tactics and\r\nbehaviors of the group, so let's examine those in some detail.\r\nHow does LAPSUS$ operate?\r\nThe LAPSUS$ group, maybe short lived given the latest developments, still showed a trajectory of maturity. This\r\ntrajectory has not been linear, which further supports the loose collective nature of the group. Over time, the\r\nLAPSUS$ group has made opportunistic shifts in tactics and priorities for its attacks — moving from traditional\r\ncustomer and client data theft to theft of proprietary information and source code.\r\nIn terms of tactics, early attacks featured distributed denial of service (DDoS) and website vandalism. But, as early\r\nas January 21, the LAPSUS$ group was already engaged in the multi-stage breach that eventually led to the\r\nincident at Okta. Throughout that maturation process, the LAPSUS$ group heavily relied on tried-and-true tactics\r\nlike purchasing credential dumps, social engineering help desks and spamming multifactor authentication (MFA)\r\nprompts to achieve initial access to target organizations.\r\nAccording to reports from Microsoft and the NCC Group, the former from its own breach by the group, these are\r\nsome key tactics, techniques and procedures of the LAPSUS$ group:\r\nInitial access via purchased or publicly available credential repositories, password stealers and paying\r\nemployees for access\r\nCircumventing MFA through spamming prompts or contacting help desk\r\nAccessing internet-facing applications like virtual private networks, Microsoft SharePoint, virtual desktops\r\netc. to collect further credentials and access sensitive information\r\nElevating privileges by exploiting unpatched vulnerabilities in Jira, GitLab, and Confluence and\r\nenumerating users with Active Directory Explorer\r\nExfiltrating data via NordVPN or free file drop services and then deleting resources\r\nUsing access to the target’s cloud environments to build attack infrastructure and remove all other global\r\nadministrators\r\nAs I’ve noted above, the LAPSUS$ group differs from other threat groups in the extortion and ransomware spaces\r\nin a key way: it does not operate a leak website. The group solely uses its Telegram channel to announce victims,\r\noften soliciting input from the broader community on which organization’s data to release next. Compared with\r\nthe polished, standardized sites of ransomware groups (like AvosLocker, LockBit 2.0, Conti etc.), these practices\r\ncome off as disorganized and immature.\r\nhttps://www.tenable.com/blog/brazen-unsophisticated-and-illogical-understanding-the-lapsus-extortion-group\r\nPage 3 of 7\n\nAvosLocker leak website, Image Source: Tenable, May 2022\r\nOn the surface, the move to stealing source code and proprietary information could be seen as a strategy to\r\nmotivate and elicit higher extortion payments, but the LAPSUS$ group has also used these thefts in strange ways.\r\nWith the Nvidia data, LAPSUS$ also leaked a code-signing certificate that allowed malware authors to freely use\r\nthis certificate to smuggle their wares into target environments as legitimately signed programs from Nvidia.\r\nLAPSUS$ was able to pilfer valuable information from Nvidia, but wasn’t interested in or capable of capitalizing\r\non it for its own benefit. The group didn’t appear to have a strong sense of what data had value. The data stolen\r\nfrom Microsoft “does not lead to elevation of risk” and Samsung did not “anticipate any impact to [its] business or\r\ncustomers.”\r\nIn fact, LAPSUS$ didn’t always effectively communicate extortion demands to victims, occasionally disagreed\r\npublicly on how to leak data and made “unreasonable and illogical” demands. With Nvidia, LAPSUS$ demanded\r\nfunctional changes to Nvidia chips that could not reasonably be accomplished. It seems this demand was a longer-term monetary strategy to increase capacity to mine cryptocurrency, albeit an ill-conceived one.\r\nWhat has LAPSUS$ accomplished?\r\nEven though earlier attacks by the LAPSUS$ group didn’t gain the level of attention its later attacks received,\r\nsome were quite disruptive and quickly placed the group on defenders’ radar screens, particularly in the regions\r\nhardest hit by those early attacks. The group managed to disrupt several telecommunications and media companies\r\nin Latin America and Europe, as well as Brazil’s Ministry of Health.\r\nIt wasn’t until the attack against Nvidia, in late February, that LAPSUS$ really broke into the broader limelight.\r\nWith this breach, LAPSUS$ stepped out onto the global stage and started a brief tear through major technology\r\ncompanies, doing so with perhaps more flair than function.\r\nEven though the breaches at Samsung, Microsoft and Okta did not have the technical impact we all fear from an\r\nincident at companies of that caliber, the disruption was still considerable. The incident at Okta in particular threw\r\nhttps://www.tenable.com/blog/brazen-unsophisticated-and-illogical-understanding-the-lapsus-extortion-group\r\nPage 4 of 7\n\nthe cybersecurity industry into a furor while it was being investigated and disclosed. While these major incidents\r\nwere occurring, the group continued targeting smaller organizations in Latin America and Europe.\r\nCharacterized by erratic behavior and outlandish demands that cannot be met — at one point, the group even\r\naccused a target of hacking back — the LAPSUS$ group’s tenure at the forefront of the cybersecurity newscycle\r\nwas chaotic. It’s hard to say how much money the LAPSUS$ group has earned from its enterprise, but it cannot be\r\ndenied that the group gained notoriety, for better or worse. Three months since the peak of LAPSUS$ attacks and\r\nthe arrests, the group remains largely inactive.\r\nHow organizations should respond\r\nThe LAPSUS$ group’s primary tactics are focused on social engineering and recruiting insiders. In its report on\r\nthe group’s activities, NCC Group has provided indicators of compromise for LAPSUS$ attacks. Organizations\r\nshould adopt the following guidance to defend against attacks from LAPSUS$ and other extortion groups.\r\nReevaluate help desk policies and social engineering awareness\r\nStrengthen MFA: avoid SMS-based MFA; ensure strong password use; leverage passwordless\r\nauthentication\r\nUse robust authentication options for internet-facing applications like OAuth and security assertion markup\r\nlanguage\r\nFind and patch known-exploited vulnerabilities that could allow attackers to move laterally in your\r\nsystems, elevate privileges and exfiltrate sensitive data\r\nBolster cloud security posture: improve risk detections, strengthen access configurations\r\nIn its analysis of the incident targeting its own systems, Okta points to its adoption of zero trust as a key defense\r\nmechanism. The additional authentication steps required to access sensitive applications and data prevented the\r\nLAPSUS$ group from achieving access that could have had catastrophic impact on Okta and its customers.\r\nExtortion groups like LAPSUS$ don’t target Active Directory with the same motivations as traditional\r\nransomware groups, but still seek to compromise AD targets for the sake of pivoting their access to higher-privileged users. Proper AD configuration and monitoring are as critical for stopping extortion as they are for\r\nstopping ransomware. Additionally, these extortion groups are very likely to target cloud environments. The\r\nLAPSUS$ group has been observed targeting cloud infrastructure, deleting resources and locking out legitimate\r\nusers.\r\nLike their ransomware counterparts, these extortion groups still rely on legacy vulnerabilities that organizations\r\nhave left unpatched. At the RSA Conference in June 2022, NSA Cybersecurity Director Rob Joyce said that\r\naddressing these known exploited vulnerabilities “needs to be the base” of cybersecurity efforts. Tenable\r\ncustomers can use our Ransomware Ecosystem scan template, dashboards (Tenable.io, Tenable.sc) and reports to\r\nassess their environments for vulnerabilities known to be targeted by ransomware groups, many of which are also\r\nexploited by extortion groups.\r\nThe future of extortion groups\r\nhttps://www.tenable.com/blog/brazen-unsophisticated-and-illogical-understanding-the-lapsus-extortion-group\r\nPage 5 of 7\n\nLAPSUS$ is not the only name in extortion. In the wake of Conti shutting down, some of its affiliates have been\r\nobserved engaging in similar attacks. U.S. government agencies have also warned of another extortion group,\r\nKarakurt, which moved from merely operating a leak website for other’s data to engaging in data theft and\r\nextortion operations on its own behalf.\r\nAs the LAPSUS$ group’s activities were waning, the RansomHouse group has been rising in prominence. Like\r\nLAPSUS$, it has been categorized by some as a ransomware group, but it does not encrypt data on target\r\nnetworks. Many of its tactics are similar to that of the LAPSUS$ group’s; RansomHouse even advertised its\r\nactivities on the LAPSUS$ Telegram channel.\r\nJust like ransomware, extortion attacks aren’t going anywhere until they are made too complicated or costly to\r\nconduct. Organizations should evaluate what defenses they have in place against the tactics used, how they can be\r\nhardened and whether their response playbooks effectively account for these incidents. While it may feel easy to\r\ndownplay the threat groups like LAPSUS$ because of their brazen, unsophisticated and illogical tactics, their\r\ndisruption of major international technology companies reminds us that even unsophisticated tactics can have\r\nserious impact.\r\nGet more information\r\nReport: A Look Inside The Ransomware Ecosystem\r\nContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help\r\nhttps://www.tenable.com/blog/brazen-unsophisticated-and-illogical-understanding-the-lapsus-extortion-group\r\nPage 6 of 7\n\nClaire Tills\r\nClaire Tills is a senior research engineer with Tenable's Security Response Team. Previously, she was product\r\nmarketing manager for Nessus and Tenable Research. Before joining Tenable, Claire worked for the FS-ISAC\r\nupon receiving a Master’s degree in communication, with a focus on information security.\r\nSource: https://www.tenable.com/blog/brazen-unsophisticated-and-illogical-understanding-the-lapsus-extortion-group\r\nhttps://www.tenable.com/blog/brazen-unsophisticated-and-illogical-understanding-the-lapsus-extortion-group\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.tenable.com/blog/brazen-unsophisticated-and-illogical-understanding-the-lapsus-extortion-group" ], "report_names": [ "brazen-unsophisticated-and-illogical-understanding-the-lapsus-extortion-group" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "921cea27-4410-42e4-8c11-7d40ba313225", "created_at": "2023-01-06T13:46:39.375789Z", "updated_at": "2026-04-10T02:00:03.307063Z", "deleted_at": null, "main_name": "RansomHouse", "aliases": [], "source_name": "MISPGALAXY:RansomHouse", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434649, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/558987e87628589287d90d8cae0d76f40e31dcf9.pdf", "text": "https://archive.orkl.eu/558987e87628589287d90d8cae0d76f40e31dcf9.txt", "img": "https://archive.orkl.eu/558987e87628589287d90d8cae0d76f40e31dcf9.jpg" } }