Ransomware attackers pressure victims on Facebook

On 1 November, 2020, the Ragnar Locker ransomware collective hacked into Campari Group, a major Italian beverage company. While this attack looked like a typical ransomware incident at first, that changed the following week. Facebook ads from Ragnar Locker started appearing on 9 November, further pressuring Campari to pay the ransom.

As Krebs on Security first reported, this ransomware ad campaign emerged after supposedly misleading statements from Campari. After announcing the attack, the company said they couldn’t exclude the possibility that they lost some personal data.

According to Ragnar Locker’s ads, this downplayed reality, as the group had successfully stolen 2 terabytes of data.

A new layer of extortion

These Facebook ads did more than inform the masses about the size of the Campari data breach. They announced that the company had until 6pm EST on 10 November to negotiate payment. If Campari didn’t pay the US$15 million ransom, the hackers would release the stolen information to the public.

To purchase the ad campaign, the group also hacked into the Facebook account of Hodson Event Entertainment. Using the Chicago-based DJ’s account, they budgeted US$500 for the entire campaign, which reached more than 7,000 users. Facebook reportedly billed Hodson US$35 for the initial ad fees before flagging the campaign as fraudulent.

By publicising their attack on Facebook, Ragnar Locker put public pressure on Campari to pay the ransom. This ad-based approach seems to be new territory for hackers and copycats could soon follow.

Cybercriminals are growing bolder

While using Facebook ads is novel, this isn’t the first instance of hackers putting public pressure on their victims.

In April 2020, Ragnar Locker launched a Wall of Shame website where it posts about companies whose data it stole. There have also been reports of hackers using call centres to call their victims and remind them of the ransom.

It shouldn’t come as a surprise that cybercriminals are adopting this trend of public shaming. As ransomware attacks have grown, companies have gotten better at combatting them, preventing any ransom payment. Most US cities have even signed charters never to pay criminals in a ransomware attack.

In light of these rising defences, cybercriminals have had to become more creative with their attacks. Publicising attacks puts increased pressure on a company to pay the ransom and can harm their public image. Whether or not these shame tactics are working is unclear, but they’ll likely continue to grow.

Troubling trends in ransomware

This Facebook ad campaign is the latest in a series of worrying updates in ransomware. Ransomware has exploded this year, accounting for as much as one-quarter of cyberattacks, according to some security firms’ findings. These attacks are growing in frequency and severity.

Ransomware demands of more than US$40 million would have been unheard of in previous years. In 2020, these massive attacks are becoming more common. As more companies embrace digital transformation, ransomware groups are also targeting a wider range of victims.

As this latest Ragnar Locker attack shows, cybercriminals are finding new ways to boost their effectiveness. Companies must keep up and employ more comprehensive, cutting-edge security tools. Ransomware is changing fast and defences need to evolve with it.

Companies need to be more vigilant than ever

In light of these developing threats, the need for robust cybersecurity has never been more urgent. Ransomware groups are targeting more companies more frequently and with greater severity. Without constant vigilance and reliable security, businesses could find themselves in a situation like Campari’s.

As new defences emerge, ransomware is sure to evolve again. Tactics on both sides will keep shifting as the never-ending battle for cyber supremacy continues. Cybercriminals aren’t letting their guard down, so neither should security professionals.