Bottle of Campari showing ransomware attack with Facebook Ads that adds pressure

A New Wrinkle in Ransomware Attacks: Facebook Ads That Pressure Victims

Ransomware attackers have ambitiously expanded their operations in the past year, doing everything from adding a blackmail element to fielding public relations campaigns. The outlaw industry continues to innovate as the Ragnar Locker Team has begun using Facebook ads to pressure victims into paying up.

A novel use of Facebook Ads

The Ragnar Locker Team, one of the most notorious ransomware attack groups to emerge in the past year, has been observed running Facebook ads targeted at Italian liquor conglomerate Campari Group. Campari owns about 50 brands of alcohol and soft drinks that are distributed internationally including SKYY Vodka and Wild Turkey.

Campari appears to have been hit by the Ragnar Locker ransomware, but apparently has not been compliant enough for the hacking group’s taste. Threats to make confidential data public (the “double extortion” method) are no longer unusual in the ransomware world, but the use of Facebook Ads to put pressure on a victim is novel.

Of course, Facebook has policies against ads that promote or contribute to criminal activity. A Facebook Ads account engaging in such behavior will be banned from the network, though it would appear one can run such ads for at least the better part of a day before they are detected. Ragnar Locker appears to be using hacked Facebook accounts to run the ads. The campaign against Campari was paid for by an entity called Hodson Event Entertainment, owned by a Chicago DJ named Chris Hodson. In an interview with KrebsOnSecurity, Hodson confirmed that his Facebook account had been hacked and that the attackers had loaded $500 USD into it to run the campaign.

Ragnar Locker Group ran simple Facebook ads entitled “Security breach of Campari Group network.” The ad shared with the public addressed a press release from Campari that did not fully acknowledge that the company had been hit by a Ragnar ransomware attack. The hackers claimed that they had encrypted Campari’s servers and downloaded two terabytes of its private information, calling the press release a “big fat lie.” The Facebook ad campaign appears to have reached about 7,150 of the social media site’s users during the time that it was active.

The attackers are seeking $15 million in Bitcoin. Ragnar Locker Group has published the private data of previous targets on its dark net “Wall of Shame” site. The group is estimated to have made millions from its ransomware attacks since it surfaced in December 2019; one of the biggest single payments came from travel management firm CWT in July, which paid $4.5 million in ransom. In addition to thinking outside the box in terms of communications strategies, the Ragnar group has also demonstrated technical creativity. In an April attack on Energias de Portugal (EDP), the hackers deployed a Oracle VirtualBox Windows XP virtual machine to hide the ransomware executable from view.

Ransomware attacks evolve, show no signs of going away

The capabilities of the major ransomware groups have expanded in the past year. In addition to the “double extortion” technique becoming standard operation procedure, ransomware attackers have added a patina of legitimacy to their operations with things like a dedicated customer service portal and the issuance of press releases. Some have even gone so far as to donate some of the stolen funds to charities (though any organization could find itself in serious legal trouble if it knowingly accepts the funds).

This is all something of a surprise given that ransomware attacks went into an extended lull in 2017 and 2018, leading some security analysts to speculate that it was dying out. It has since come roaring back, in part fueled by the coronavirus pandemic and the new opportunities created with the increased amount of remote workers across all types of organizations and industries.

There is no sign of this perverse innovation slowing down. The total cost of ransomware in 2020 is estimated to be about $20 billion, with demands topping $1 billion. These amounts are projected to increase year-over-year to at least 2025, and the average ransom demand is creeping close to $100,000 (according to statistics collected by Emsisoft). Raif Mehment, VP EMEA of Bitglass, elaborated on how the total costs of ransomware often far exceed the payment amount: “Estimating the cost of a ransomware attack can be near impossible … there is the cost of downtime, lost sales opportunities, damage to brand reputation and potential fines for non-compliance that could come into play … let alone disaster recovery after the fact.”

Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, notes that ransomware attacks are still a threat to small businesses even though the criminals are showing a strong preference for ‘big fish’ enterprises: “What this does show is that every online user is vulnerable to compromise and false financial charges should their social media accounts be compromised and used to purchase ad campaigns on the corresponding platforms. Users should ensure that two-factor authentication is enabled on all of their online accounts and that they do not reuse the same password across different websites or mobile applications. Password manager applications can help alleviate the burden of remembering unique passwords across multiple sites.”

In addition to Facebook Ads, some groups have also recently been observed making use of India-based call centers to reach out to victims by phone with their ransom demands. The ransomware groups behave like debt collectors, persistently calling the victim to nag them about payment and threaten to publicly release sensitive stolen data.