Nvidia Hacks Ransomware Gang Back To Block Data Leaks, Group Claims

‘EVERYONE!!! NVIDIA ARE CRIMINALS!!!!!!!!! ... TODAY WOKE UP AND FOUND NVIDIA SCUM HAD ATTACKED **THE** MACHINE WITH RANSOMWARE…….,’ the ransomware group Lapsus$ wrote on Telegram after threatening to leak Nvidia data.

Nvidia in recent days launched a retaliatory strike against the Lapsus$ ransomware gang to prevent the release of the chipmaker’s stolen data, the ransomware group claimed.

“EVERYONE!!! NVIDIA ARE CRIMINALS!!!!!!!!! SOME DAYS AGO A ATTACK AGAINST NVIDIA AND STOLE 1TB OF CONFIDENTIAL DATA!!!!!! (sic),” the Lapsus$ operator posted to their public Telegram channel. “TODAY WOKE UP AND FOUND NVIDIA SCUM HAD ATTACKED **THE** MACHINE WITH RANSOMWARE…….”

Screenshots from the publicly accessible Lapsus$ Telegram channel were shared on Twitter by multiple security researchers including Emsisoft threat analyst Brett Callow and cybersecurity enthusiast Soufiane Tahiri. It is unclear when exactly these messages were posted, and Lapsus$’s Telegram channel was inaccessible Saturday afternoon due to the alleged posting of pornographic content, Callow told CRN.

[Related: Nvidia Hack ‘Completely Compromised’ Internal Systems: Report]

Nvidia did not immediately respond to a CRN request for comment Saturday, but said Friday, “We are investigating an incident. Our business and commercial activities continue uninterrupted. We are still working to evaluate the nature and scope of the event.”

Lapsus$ said on Telegram that accessing the VPN of Nvidia employees requires a PC to be enrolled in mobile device management (MDM), according to screenshots posted to Twitter. For this reason, Nvidia was able to connect to a virtual machine that Lapsus$ uses, according to the ransomware operator.

Nvidia was able to successfully encrypt Lapsus$’s data, but the ransomware group said it had a backup, meaning that its data was “safe from scum!!!” Lapsus$ asserted that it wasn’t hacked by a competing ransomware group.

“LUCKILY IT HAD A BACKUP BUT WHY THE F*** THEY THINK THEY CAN CONNECT TO THE PRIVATE MACHINE AND INSTALL RANSOMWARE!!!!!!!!!!!” Lapsus$ posted on Telegram.

Hacking back is not common but has certainly happened before, Callow told CRN. Dropping ransomware on an attacker’s network can prevent the ransomware group from leaking whatever victim data they exfiltrated, according to Callow.

Prior to being hacked themselves, the Lapsus$ ransomware group leaked the credentials of Nvidia employees and said they would soon release one terabyte of stolen data, according to screenshots shared on Twitter by cybersecurity monitoring group DarkTracer. Lapsus$ claimed to have shared the password hashes from all Nvidia employees and said it would soon leak data about the RTX GPUS.

“We are not sure how we will leak the data yet,” Lapsus$ wrote on Telegram, according to screenshots shared early Saturday morning by DarkTracer. “We think it will be in 5 different releases, its very large [sic].”

Lapsus$ said it would ensure Nvidia’s data isn’t leaked if the company contacted the ransomware group by email and paid an unspecified fee. Lapsus$ said it was expecting initial contact from Nvidia on or before Friday, according to screenshots shared by DarkTracer.

The Lapsus$ ransomware gang is relatively new, but just last month knocked the websites of one of Portugal’s biggest newspapers and of a major broadcaster offline, according to The National. Both the newspaper and the website are owned by Portugal’s largest media conglomerate Impresa, according to The National.

In December 2021, Lapsus$ allegedly hacked Brazil’s health ministry website and took several systems down, including one with information about the national immunization program and another used to issue digital vaccination certificates, according to The National.

It’s unclear where Lapsus$ is based or if they have links to other ransomware gangs, Callow told CRN, adding that there isn’t anything particularly unusual about the group.