A new year, a new ransomware attack. Portugal’s largest media conglomerate got hit hard over the New Year’s holiday weekend, and is still offline as of this article’s publication on Tuesday, January 4.
The attack went after the company Impresa, taking down the websites of the nation’s largest TV channel and newspaper. The Twitter account was taken over by the hackers, who then Tweeted out through the compromised account. The attack was carried out by the ransomware gang Lapsus$.
The websites included those for the Expresso newspaper and television station SIC. The website “The Record” reported that the attack hit the company’s online IT server infrastructure.
Reuters said in a story that Lapsus$ threatened data exfiltration if Impresa did not pay a ransom. Data exfiltration, or exposure of internal private data from a company, like Social Security numbers and credit card numbers, is an increasingly common tactic used by ransomware gangs. It’s another way to make money on top of providing a decryption key to unlock encrypted data.
Lapsus$ mocked the Expresso newspaper in the newspaper’s official Twitter account, which it has also taken over. It said in a (translated) Tweet that “Lapsus$ is officially the new president https://ransomware.org/of Portugal”. Lapsus$ has also claimed that it’s gained control of Impresa’s Amazon Web Services account.
Lapsus$ is not one of the more well-known ransomware gangs, but it did make a high-profile attack last December against Brazil’s Ministry of Health. In that case, compromised data included information on COVID-19 patients. Several systems were taken down, but it’s not clear how much data was ultimately lost, if any.
The ransomware attack against Impresa should remind organizations to safeguard themselves as much as possible against these attacks in 2022. One effective method to do that is to get the recently published book, “Ransomware: Understand. Protect. Recover,” available here.
As of this writing, it is publicly unknown whether or not Impreza paid the ransom.