Nvidia, the ransomware breach with some plot twists

On February 25, news broke about a cyberattack on Nvidia, America’s biggest microchip company, which saw parts of its business taken offline for two days. Soon after, the ransomware group LAPSUS$ claimed responsibility and threatened to leak 1 TB in exfiltrated data.

You would think that while this is big news, the story is one that has been told many times. So many times that ransomware fatigue is starting to become the new security fatigue. But there are some interesting aspects to this particular attack that make it stand out.


The LAPSUS$ group is a relative newcomer to the ransomware scene, but it has made a name for itself by bringing down big targets like Impresa, the largest media conglomerate in Portugal, Brazil’s Ministry of Health, and Brazilian telecommunications operator Claro. The group is believed to hail from South America, based on its targets and the near-native use of Spanish and Portuguese. The main attack vector is phishing which the group uses to gain a foothold before moving on to breach the network from there.


In the case of the Nvidia breach, LAPSUS$ claimed it was mainly after the removal of the lite hast rate (LHR) limitations in all GeForce 30 series firmware—apparently all to help out gamers and the mining community. Nvidia LHR graphics cards detect when they’re being used for Ethereum (ETH) cryptocurrency mining and automatically halve the hash rate.


After evaluating our position and NVIDIA’s we decided to add one more requirement.

We request that NVIDIA commits to COMPLETELY OPEN-SOURCE (and distribute under a foss license) their GPU drivers for Windows, macOS and Linux, from now on and forever.

If this request is not met, on Friday we will release the COMPLETE SILICON, GRAPHICS, AND COMPUTER CHIPSET FILES for all recent NVIDIA GPUs, including the RTX 3090Ti and UPCOMING REVISIONS! Of courrse this includes all files with extensions such as .v, .vx, .vg and more.

So, NVIDIA, the choice is yours! Either:

-Officially make current and all future drivers for all cards open source, while keeping the Verilog and chipset trade secrets… well, secret


-Not make the drivers open source, making us release the entire silicon chip files so that everyone not only knows your driver’s secrets, but also your most closely-guarded trade secrets for graphics and computer chipsets too!


(Friday in this demand is March 4, 2022)

Nvidia’s goal by implementing LHR was to get more GeForce graphics cards in the hands of gamers. We understand why LAPSUS$ would demand the removal of LHR on behalf of miners, but why the group feels this would also be beneficial to gamers is unknown, especially since there are many doubts around the effect of LHR. Also, cryptominers have already managed to unlock 70% of the hash rate in NVIDIA’s new GPUs.


Initially, Nvidia said the ultimate concern was that somebody might have put something in one of the software updates, which is understandable since that could be the foundation of a huge supply-chain attack.

Now, Nvidia has confirmedthat it was hacked and that the threat actor is leaking employee credentials and proprietary information onto the internet.

“Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement.”

Hacked back?

At some point during the negotiations the LAPSUS$ group started to make a big fuss about having been hacked back. The group claimed Nvidia had hacked back to encrypt the group’s virtual machine with the data, although later toned that down to “Nvidia tried but failed, we have all the data”.

Nvidia has not responded to these claims and did not address that element in its statement. While hacking back is not unheard of, it is highly unlikely in cases like this, especially as under current US law it is illegal for the victim of a cyberattack to hack back. If we define hack back as “to launch a counterattack aimed at disabling or collecting evidence against the perpetrator,” that is.


The passwords and email addresses of some 70k employees were involved. According to Nvidia, all employees have been required to change their passwords.

The information on HaveIBeenPwnd says about the Nvidia breach:

“Impacted data included over 70k employee email addresses and NTLM password hashes, many of which were subsequently cracked and circulated within the hacking community.”

In a tweet Troy Hunt, the owner of HaveIBeenPwnd, stated that 17% of addresses were already in the database.

Although that is a worrying number, it does not come as a surprise. According to research, 80% of consumers have had their emails leaked on the dark web and 60% of people reuse passwords across multiple accounts. The same researchers published a list of the 20 passwords most commonly found on the dark web, due to data breaches:

  • 123456
  • 123456789
  • Qwerty
  • Password
  • 12345
  • 12345678
  • 111111
  • 1234567
  • 123123
  • Qwerty123
  • 1q2w3e
  • 1234567890
  • 0
  • Abc123
  • 654321
  • 123321
  • Qwertyuiop
  • Iloveyou
  • 666666

If you recognize one or more of them we would encourage you to not only change them, but also to start using a password manager. Passwords managers help you because:

  • You don’t have to memorize all your passwords anymore.
  • They can auto-generate highly secure passwords for you.
  • They can alert you to a phishing site. If you’re using a browser-based password manager, it will not auto-complete the username and password fields since it doesn’t recognize the website as the one tied to the password.
  • They can help your beneficiaries when you pass away. All you need to leave behind is the keys to the vault.
  • Password managers save time. Beyond just storing passwords for you, some can store and auto-fill name, address, email, phone number, and credit card info.
  • Many password managers sync across different operating systems.
  • They help protect your identity, because they make it a lot easier not to re-use your passwords. One breach will not require you to change a multitude of passwords.

Stay safe, everyone!