The attack is one of the most serious in that country’s history

The Lapsus$ ransomware gang has compromised the infrastructure of Impresa, the largest media conglomerate in Portugal. Impresa owns SIC TV channel, and Expresso newspaper, among other leading media, like several magazine publications.

The attack took place during the New Year holiday. It hit the websites of the Impresa group and the SIC TV channels, and the Expresso were forced offline. SIC’s internet streaming transmission was also interrupted.

According to TheRecord, while Impresa claims to have regained control over its Amazon account, in turn, the ransomware gang tweeted from Expresso’s verified Twitter account demonstrating to have access to its infrastructure.

A gang of of Portuguese speakers?

The Impresa attack is one of the largest cybersecurity incidents in Portugal’s history. Impresa is, by far, the country’s largest media conglomerate. According to September 2021 TV ratings, SIC and all its secondary channels dominate the TV market, while Expresso has the largest circulation numbers for weekly periodicals. Impressa also owns many other media companies and magazines, all of which are currently most likely impacted by the attack as well.

In December, the ransomware gang hit the websites under Brazil’s Ministry of Health (MoH) causing the unavailability of COVID-19 vaccination data of millions of citizens. The gang also targeted the South American telecommunication providers Claro and Embratel.

In the December attack, Lapsus$ left a message on the affected websites claiming credit and claiming that it had stolen 50 terabytes’ worth of data. As with the attack on Impresa, the group left a message that included an email address and Telegram contact information that the attackers asked to be contacted to discuss the terms of returning the data.

Both the Brazil Ministry of Health attack followed by an attack on Impresa both have one major factor in common. Both countries use Portuguese as their language and the ransom notes in both cases were in the same language. The presumed takeaway is that the Lapsus$ ransomware gang consists of Portuguese speakers.