View of the Nations Park in Lisbon showing ransomware attack on media company

Ransomware Attack on Portuguese Media Company Impresa Compromised AWS Account, Disrupted Expresso Newspaper and SIC TV Stations

Lapsus$ ransomware gang took down Portugal’s largest media conglomerate Impresa group in a devastating ransomware attack that began on the New Year’s weekend.

The incident affected the company’s online IT server infrastructure, shutting down all Impresa-owned websites, the country’s most popular weekly publication Expresso newspaper, and SIC TV channels.

Lapsus group also left a ransom note claiming that it had gained access to Impresa’s Amazon Web Services account, according to Recorded Future. The threat intelligence company reported that the ransomware gang claimed responsibility by defacing all Impresa websites with a ransom note written in Portuguese.

Impresa Media company is trying to recover from a Lapsus$ ransomware attack

Both the country’s largest newspaper and television station remained unavailable after the New Year’s weekend ransomware attack. Although the media company’s cable remained operational, the ransomware attack disrupted the Impresa group’s streaming capabilities.

“Company downtime equates to a loss of revenue, in one form or another, which is an immediate by-product of ransomware,” said Nasser Fattah, North America Steering Committee Chair, Shared Assessments. “Hence the importance of doing ransomware tabletop exercises to not only best prepare for an attack, but also to engage the business to best understand the financial impact of system outages.”

The media giant reportedly regained control of the Amazon Web Services account and put all the websites in maintenance mode. However, the ransomware gang used one of the media company’s verified Twitter accounts to tweet that it still had access to Impresa’s systems.

Other Portuguese media outlets also reported the ransomware attack. The Observador newspaper confirmed the incident on Twitter.

The Observador newspaper reported that SIC-owned streaming platform Opto subscribers received text messages from the hacking group that read, “We announce Lapsus$ as the president of Portugal.” Expresso newsletter subscribers also received an SMS from the ransomware group claiming responsibility for the attack.

Additionally, the newspaper reported that Impresa Group would file a criminal complaint and was working with the Judicial Police and the National Cybersecurity Centre (NCSC). The NCSC told Observador that it was in direct contact with the media company. The agency said it was trying to understand the attack vector and support the company.

Responding to the attack, Impresa described the incident as an attack on media freedom in Portugal in the digital age.

However, the media company refused to disclose the amount that the Lapsus$ ransomware gang demanded. Lapsus$, however, asserted that it would leak the stolen data if the media company failed to meet its ransom demands.

Although this was the first Lapsus$ ransomware attack on Portugal, the group seems interested in Portuguese-speaking countries. The group was responsible for a ransomware attack on Brazil’s Ministry of Health on December 10, 2021. The ransomware gang exfiltrated and deleted 50 Terabytes of COVID-19 data. Lapsus$ also claimed responsibility for another attack on Brazilian telecommunications operator Claro, although the company failed to acknowledge the attack.

The perceived interest in Brazil and Portugal suggests that the ransomware group consists of Portuguese-speaking members. However, the Brazilian technology website TecMundo reported that Lapsus$ consisted of a Spaniard and several Colombians.

According to Portuguese authorities, the ransomware attack on Impresa is the largest in the country’s history. The attack also comes hot on the heels of another suspected ransomware attack on a Norwegian media giant Amedia that manages more than 90 publications.

“Being able to continuously validate people, processes, and technologies is always going to be a struggle,” Elizabeth Wharton, Vice President, Operations, SCYTHE, said. “Ransomware gangs like Lapsus$ may use the same tactics, techniques, and procedures (TTPs) to carry out their attacks, or they may reorder the TTPs to fly under the radar. Companies need to continuously test their controls using threat intelligence, like the news of this attack, to protect their business interests.”