A ransomware gang called Lapsus$ attacked the largest media company of Portugal, the Impresa group, starting from the weekend of New Year.
The attack resulted in the shutting down all websites owned by Impresa, SIC TV channels, and a popular weekly newspaper Expresso.
As per Recorded Future, the Lapsus group took responsibility for the attack and left a note declaring that they had gained access to the Amazon Web Services account of Impresa.
After the ransomware attack, the country’s largest media group and TV channel became unavailable. The attack disrupted the streaming capabilities of the company while Impresa’s cable remained operational.
According to Nasser Fattah, the North American Steering Committee Chair of Shared Assessments:
“Company downtime equates to a loss of revenue, in one form or another, which is an immediate by-product of ransomware,”
“Hence the importance of doing ransomware tabletop exercises to not only best prepare for an attack, but also to engage the business to best understand the financial impact of system outages.”
Impresa has reportedly regained access to its account of Amazon Web Services and has pulled all its websites from maintenance. But, Lapsus used a verified Twitter account of Impresa and tweeted that they still have access to the systems of the company.
Except for Impresa, various other media companies of Portugal also reported ransomware attacks. The Observador newspaper confirmed an attack on Twitter.
The newspaper reported that the Opto subscribers of the streaming platforms owned by SIC received texts from the ransomware group saying, “We announce Lapsus$ as the president of Portugal.” The subscribers of the Expresso newsletter also received texts from the hacking group claiming responsibility for the attack.
The newspaper also reported that the Impresa Group was working with the National Cybersecurity Centre (NCSC) and the Judicial Police and would file a criminal complaint. NCSC informed the Observador that it was in contact directly with the media outlet.
Impresa claimed the incident to be an attack on Portugal’s media freedom in the digital era.
While the media group refused to disclose the ransomware amount demanded by Lapsus$, the hacking group has announced to leak all the data stolen from the media company if they failed to meet their ransomware demands.
Even though it was the first attack of the hacking group in Portugal, they seem quite interested in the Portuguese-speaking countries. This group also attacked the Brazilian Health Ministry in December 2021 and deleted the Covid-19 data worth 50 Terabytes.
They also attacked the telecommunications operator of Brazil, Claro, but the company failed to acknowledge the ransomware attack.
As per the authorities of Portugal, Impresa’s ransomware attack was the largest in the history of the country.
According to Elizabeth Wharton, the Vice President of Operations at SCYTHE said:
“Being able to continuously validate people, processes, and technologies is always going to be a struggle,”
“Ransomware gangs like Lapsus$ may use the same tactics, techniques, and procedures (TTPs) to carry out their attacks, or they may reorder the TTPs to fly under the radar. Companies need to continuously test their controls using threat intelligence, like the news of this attack, to protect their business interests.”
