Portugal Media Giant Impresa Crippled by Ransomware Attack

The websites of the company and the Expresso newspaper, as well as all of its SIC TV channels remained offline Tuesday after the New Year’s weekend attack.

Media giant Impresa, which owns the largest television station and newspaper in Portugal, was crippled by a ransomware attack just hours into 2022. The suspected ransomware gang behind the attack goes by the name Lapsus$.

The attack included Impresa-owned website Expresso newspaper and television station SIC. Both remain offline Tuesday morning as the media giant continued its recovery from a New Year’s weekend attack. Impacted is the server infrastructure critical to Impresa’s operations. Additionally compromised is one of Impresa’s verified Twitter accounts, which was hijacked and used to taunt the company publicly.

“National airwave and cable TV broadcasts are operating normally, but the attack has taken down SIC’s internet streaming capabilities,” according to a blog post published Monday by The Record, the news service of security analyst firm Recorded Future.
Infosec Insiders Newsletter

Various news outlets also reported the attack, including SIC Noticias, SIC’s news TV station, which tweeted a confirmation of the incident, and Portugal’s Observador newspaper.

“The Impresa group confirms that its Expresso and SIC sites, as well as some of their social media pages, are temporarily unavailable, apparently the target of a computer attack, and that actions are being taken to resolve the situation,” according to the tweet.

Lapsus$ identified itself as the culprit of the attack by defacing all of Impresa’s sites with a ransom note letting the company know that it had gained access to Impresa’s Amazon Web Services account, according to a screenshot of the note posted online by The Record.

Pressure to Pay

It appears Impresa was able to regain control over the account on Monday when all of the sites were put into maintenance mode, showing notes on respective home pages that they were temporarily unavailable.

However, Lapsus$ kept up the pressure on Impresa via Twitter, tweeting from Expresso’s verified Twitter account on Monday to demonstrate that it still had access to company resources, according to Recorded Future.

Neither the company nor Lapsus$ so far has revealed the amount of the extortion payment associated with the incident, which marks the first time the group has attacked an entity in Portugal, Lino Santos, the coordinator of Portugal’s National Cybersecurity Center, told the Observador.

Lapsus$ Group came on the ransomware scene in 2021 and so far is best known for an attack on the Brazil Ministry of Health last month. The incident took down several online entities, successfully wiping out information on citizens’ COVID-19 vaccination data as well as disrupting the system that issues digital vaccination certificates.

More Ransomware on the Way

The attack shows that the significant ramp-up in ransomware attacks in 2021 show no signs of slowing in the new year.

“Ransomware is not going away,” Dave Pasirstein, chief product officer and head of engineering for TruU wrote in an email to Threatpost. “It’s a lucrative business that is nearly impossible to protect against all risk vectors.”

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles