LAPSUS$ and the Rising Tide: Navigating the Murky Waters of Insider Threats

Ransomware attacks are no longer just about encrypting data. They've morphed into a more sinister strategy: stealing data from substantial companies and then hanging the threat of its public release over their heads unless a hefty ransom is settled. More often than not, these criminals demand payment in cryptocurrencies like Bitcoin.

Spotlight on LAPSUS$: Not Just Another Cybercrime Group

LAPSUS$ has become synonymous with this new wave of ransomware attacks. They've mastered the art of infiltrating big organizations, siphoning off crucial data, and then holding it hostage. But what sets LAPSUS$ apart is their innovative approach to social engineering. Instead of merely focusing on their primary target, they exploit service providers and partners connected to their victim's ecosystem.


Their audacity doesn't end there. LAPSUS$ thrives on public attention, regularly updating their activities on a Telegram Channel that boasts over 57,000 followers. This gives an eerie reminder of past hacker groups who seemed to hack just for the thrill of the game, public recognition, and doing it for “the lulz” seems to be as crucial as the potential financial gains.


Diversification is a hallmark of LAPSUS$'s strategy. They've utilized a myriad of attack vectors, from buying credentials and session tokens off the dark web to SIM-swapping, which aids in account takeovers. Moreover, in our current work-from-home climate, they've found a goldmine: individual personal accounts. Once accessed, these accounts can act as gateways to corporate data. Considering many use their personal accounts for two-factor authentication during password recovery, LAPSUS$ can execute account recovery and password resets, further deepening the intrusion.


Perhaps their most audacious method involves advertising on social media platforms to recruit insiders within organizations. One such post by a user “WhiteDocBin” offered $20,000 weekly for "low-risk" internal jobs targeting specific organizations. It's the dark side of the gig economy.


Insider Threats: The Trojan Horses of Cybersecurity

Insider threats have steadily risen to become a prominent cybersecurity concern. Insiders – be they current employees, past employees, contractors, or business partners – can be the very chink in an organization's armor. Given their authorized access, insiders can discreetly cause significant harm, driven by motives ranging from financial gains to personal vendettas.

Statistics Show:

Recent studies indicate that nearly 34% of all data breaches involve internal actors, emphasizing the growing importance of addressing this threat vector.

Protection Against Insider Threats and Ransomware

While understanding the problem is the first step, it's vital to adopt protective measures:

  1. Regular Audits: Periodically review and limit access rights of employees.
  2. Employee Training: Educate staff on the importance of cybersecurity and the dangers of social engineering.
  3. Invest in Technology: Deploy advanced threat detection tools that monitor for unusual activity.
  4. Backup Regularly: Ensure data is regularly backed up and stored securely, mitigating the impact of potential data loss.

In summary, as cyber threats evolve, staying informed and adopting a proactive approach to cybersecurity becomes paramount. With groups like LAPSUS$ pushing the boundaries, businesses must be ever-vigilant and ready to adapt.


Insider threats are an escalating concern in the realm of cybersecurity. These threats emanate from individuals who possess legitimate access to an organization's systems and data. Yet, instead of using this access responsibly, they may misuse it for malicious intents. Such insiders can be current employees, former staff members, contractors, or even business partners.


The reasons driving these insiders to exploit their access are diverse, ranging from financial incentives and vendettas to deep-seated ideological beliefs. Among these, the gravest threats arise from those primarily driven by personal gains or sheer malevolence. What makes these insider threats especially insidious is their innate familiarity with the organization’s security mechanisms and protocols. Such deep knowledge, coupled with their authorized access, can prove particularly damaging, as they can target sensitive data, wielding it as a weapon to inflict harm upon the organization.


Pete Slade
March 31, 2022