Ragnar Locker gang runs ads on hacked Facebook accounts

Ragnar Locker ransomware creators breached Campari Group servers

Ragnar Locker actors found a new money extortion method: using hacked Facebook accounts to pursue victims to pay

On November 2nd, 2020, a cyberattack was launched on a popular Italian branded beverage company Davide Campari-Milano S.p.A., also known as Campari. The enterprise issued a statement^[1] on November 6th, admitting that they suffered a malware attack and contained the issue since.

Ragnar Locker ransomware family^[2] creators acknowledged that they were behind the attack and requested a ransom of $15 million. It is known that cybercriminals encrypted sensitive data on computers and servers and stole a massive portion of those files. As always, the threat actors are intimidating the company to agree with their terms, or the stolen data will be made public, thus exposing company plans, banking information, employee details, drawings, private contact details, etc.

Campari is an Italian-based alcoholic beverage producer established in 1980 and is known for such drinks as Grand Marnier, Aperol, Skyy Vodka, and others. The beverages are currently distributed in over 190 countries worldwide.

Hacked Facebook accounts now used for money extortion

This time, Ragnar Locker ransomware developers took an additional step to pressure their victims into submission. As first reported^[3] by Krebs on Security, cybercriminals hacked into Facebook Inc. advertising accounts and started using them to buy ad campaigns. By doing this, hackers seek to force their victims into meeting their demands, i.e., paying them the requested ransom – this is yet another way to extort money.

In the Campari Group Press Release, the company stated:

…we acknowledge that there has been somedata loss… At this stage, we cannot completely exclude that some
personal and business data has been taken.

The Ragnar Locker gang quickly reacted to this statement and responded to it on the Facebook ad, named “Security breach of Campari Group network”:

This is ridiculous and looks like a big fat lie. We can confirm that confidential data was stolen and we talking about a huge volume of data.

The cybercriminals also declared that they have stolen two terabytes of the company's data and that the Campari Group has until 6 PM EST November 10 to negotiate a deal with them. Otherwise, all of the heisted information will be exposed, i.e., made public. According to the Ragnar Locker crew, they have stolen accounting files, banking statements, clients' and employees' personal information (such as social security numbers, addresses, etc.), non-disclosure agreements, audit reports, emails, and much more.

Brian Krebs informed that after speaking with Chris Hudson, owner of the Facebook account from which the Ragnar Locker ads were shown, he found out that the advertisement was displayed to over seven thousand Facebook users before the social media giant detected the fraudulent campaign and removed it.

Why is Campari attack significant

Ransomware has been a significant threat to companies, SMBs, and individuals since the mid-2000s ^[4]. Since then, from a reasonably simple encryption code, it is evolving rapidly. Ransomware-as-a-service^[5] also gained immense popularity among ransomware gangs.

The main principle of ransomware is very simple: locking the company's or user's files and then demanding ransom in return for a decryption key. Threat actors who go after larger targets quickly noticed that enterprises restore data from backups, making this type of extortion ineffective.

At the end of 2019, Maze ransomware introduced a new way to make victims pay by stealing sensitive corporate information before deploying crypto-malware. As a result, each ransomware attack had to be treated as a major data breach. Cybercriminals' victims began paying millions of dollars in order to prevent customer and corporate data from being publicly exposed.

It seems the Campari attack marked another significant milestone for ransomware makers, and their targets, as social media accounts are now being used to make victims pay. This incident is most likely just the beginning, so potential targets should invest in cybersecurity and educate the staff to prevent unsolicited server intrusions.