- Operators behind Ragnar Locker ransomware are using a Facebook ad campaign to pressure Italy-based beverage company Campari Group to pay its ransom, KrebsOnSecurity reported.
- The unauthorized ads boasted "we can confirm that confidential data was stolen and we talking about huge volume of data," by the Ragnar Locker operators on Nov. 9. The ads also alleged the group offloaded 2 TB of data and offered Campari a deadline to pay the ransom.
- The group hacked the Facebook account of Hodson Event Entertainment, attempting to bill the $159 campaign, on top of an initial $35, to the business before Facebook caught it as fraudulent, according to the report. Hodson's analytics showed the campaign generated 770 clicks.
Campari disclosed its hack on Nov. 3 and isolated various systems to stop the spread. The operators asked Campari for $15 million in bitcoin on Nov. 1.
By Nov. 6, Campari confirmed "there has been some data loss," which is still under investigation to determine the confidentiality of the impacted information.
"At this stage, we cannot completely exclude that some personal and business data has been taken," the company said. Campari is working with the FBI and the Italian cyber police, and notified its respective data protection authorities.
Depending on the company or whether a breach occurred, ransomware attacks can go undisclosed, or unacknowledged until financial reports are made available. Had Campari not have disclosed the cyberattack, the Facebook ads might have been more effective.
Ragnar Locker's operators are continuing to "shame Campari even though officials have not reached out to the Ragnar Locker group. Campari is doing the right thing by ignoring their attempts," said Chad Anderson, senior researcher at DomainTools, in an emailed statement to Cybersecurity Dive.
The Facebook ads were an attempt to push Campari to pay its ransom, a version of a similar tactic ransomware operators use. When ransomware operators added data exfiltration to their attacks in 2019, they also started publicly posting stolen data in retaliation for unpaid ransoms.
Ragnar Locker's use of Facebook is an "aggressive evolution" for extortion, but "shows the group is getting desperate for their payday," said Anderson.
In June, the operators behind REvil launched an eBay-like site on the dark web to auction off stolen data. When the pandemic hit stateside and led the U.S. economy into a recession, cybercriminals felt the financial collapse too.
Victimized organizations are less likely to pay ransoms, and researchers theorize publicly publishing data is an attempt by criminals to recoup costs of their operations.
As lockdowns are reinstated across European countries and parts of the U.S., researchers expect to see an influx of ransomware attacks. "Any EU provisions for circumventing GDPR fines for these companies … will help avoid a situation where the government is then forcing funding of ransomware groups," said Anderson.