Ragnar Locker Ransomware Gang Takes Out Facebook Ads in Key New Tactic

Following a Nov. 3 ransomware attack against Campari, Ragnar Locker group took out public Facebook ads threatening to release stolen data.

The Ragnar Locker ransomware group has decided to ratchet up the pressure on its latest high-profile victim, Italian liquor conglomerate Campari, by taking out Facebook ads threatening to release the 2TB of sensitive data it stole in a Nov. 3 attack – unless a $15 million ransom is paid in Bitcoin.

Campari Group, which is behind a bevy of global brands including SKYY, Grand Marnier and Wild Turkey, has acknowledged the ransomware attack.


This is a new spin on the double-extortion ransomware tactic, where criminals not only lock organizations out of their systems, but also threaten to release sensitive stolen data to the public if their demands aren’t met. The Facebook ads pile on an entirely new layer of extortion pressure, letting the public know that Campari data is compromised and that the liquor giant is refusing to pay to keep it secure.

The ads, first spotted by researcher Brian Krebs on Nov. 9, were to-the-point and entitled, “Security Breach of Campari Group Network.” Ragnar Locker bought the ads using a hacked Facebook account, which Krebs said were subsequently shown to more than 7,000 users before Facebook caught on and pulled them down.

“Cybercrime groups have no shame in their extortion attempts,” Chris Clements, vice president of solutions architecture with Cerberus Sentinel said. “They will use any and all options available to them to extract whatever money they can from their victims. The use of compromised Facebook user accounts to buy ad campaigns to further harass their victims is novel, but not at all out-of-character.”

The ‘Wall of Shame’ Moves to Facebook 

First observed in 2019, the Ragnar Locker group started using the threat of making stolen data public last April, when it launched a Wall of Shame site, security researcher who uses the handle Pancak3 recently explained in a DM exchange with Threatpost.

He added that the executables for both the Campari ransomware attack and a recent high-profile breach of gaming giant Capcom were signed by the same cert, linking both to the Ragnar Locker group. Pancak3 added that he thinks it shows that the Ragnar Locker ransomware operators are getting “more confident in their intrusion methods.”

Now, with the development of public advertising to increase pressure for victims to pay, it would appear the group is not even trying to hide their malicious activities any longer. In fact, they’re publicizing them.

In added criminal twist, everyday Facebook advertisers are now vulnerable to Ragnar Locker attacks.

“What this does show is that every online user is vulnerable to compromise and false financial charges should their social-media accounts be compromised and used to purchase ad campaigns on the corresponding platforms,” Clements said. “Users should ensure that two-factor authentication is enabled on all of their online accounts and that they do not reuse the same password across different websites or mobile applications. ”

Facebook has not responded to Threatpost’s request for comment.

Backing up bad actions with public advertising is likely to be emulated. Ragnar Locker appears to be somewhat of an influential group within the ransomware community. In Sept. researchers observed the Maze group picking up the Ragnar Locker trick of distributing ransomware with virtual machines, an approach experts at Sophos Managed Threat Response called “radical.”

Still, experts say, keeping individual accounts secure goes a long way to mitigating the threat that groups like these have on the public — and 2FA is a good place to start despite any inconvenience that managing multiple unique passwords can present.

“Password-manager applications can help alleviate the burden of remembering unique passwords across multiple sites or applications but carry their own risk should they become compromised.” Clements advised. “Still, the benefits of using a password manager usually greatly outweigh the potential downsides.”

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.



Suggested articles