Ragnar Locker Ransomware Gang Takes Out Facebook Ads in Key New Tactic

  • Following a Nov. 3 ransomware attack versus Campari, Ragnar Locker group took out general public Fb advertisements threatening to launch stolen knowledge.

    The Ragnar Locker ransomware team has determined to ratchet up the pressure on its most up-to-date large-profile victim, Italian liquor conglomerate Campari, by getting out Fb ads threatening to launch the 2TB of sensitive details it stole in a Nov. 3 attack – until a $15 million ransom is paid in Bitcoin.

    Campari Group, which is powering a bevy of worldwide manufacturers together with SKYY, Grand Marnier and Wild Turkey, has acknowledged the ransomware attack.


    This is a new spin on the double-extortion ransomware tactic, in which criminals not only lock companies out of their techniques, but also threaten to release sensitive stolen facts to the public if their needs are not satisfied. The Facebook advertisements pile on an totally new layer of extortion tension, letting the general public know that Campari info is compromised and that the liquor big is refusing to shell out to hold it secure.

    The ads, first spotted by researcher Brian Krebs on Nov. 9, were to-the-level and entitled, “Security Breach of Campari Team Network.” Ragnar Locker purchased the ads making use of a hacked Facebook account, which Krebs claimed were subsequently proven to more than 7,000 customers prior to Fb caught on and pulled them down.

    “Cybercrime teams have no disgrace in their extortion attempts,” Chris Clements, vice president of remedies architecture with Cerberus Sentinel mentioned. “They will use any and all options offered to them to extract no matter what income they can from their victims. The use of compromised Fb user accounts to buy ad campaigns to further more harass their victims is novel, but not at all out-of-character.”

    The ‘Wall of Shame’ Moves to Facebook

    To start with noticed in 2019, the Ragnar Locker group begun making use of the menace of making stolen information public past April, when it introduced a Wall of Disgrace web-site, security researcher who utilizes the take care of Pancak3 not long ago described in a DM trade with Threatpost.

    He additional that the executables for the two the Campari ransomware attack and a new large-profile breach of gaming large Capcom ended up signed by the exact cert, linking equally to the Ragnar Locker team. Pancak3 included that he thinks it shows that the Ragnar Locker ransomware operators are receiving “more self-assured in their intrusion procedures.”

    Now, with the enhancement of community promotion to increase strain for victims to pay, it would appear the group is not even hoping to conceal their destructive things to do any extended. In reality, they’re publicizing them.

    In extra legal twist, everyday Facebook advertisers are now susceptible to Ragnar Locker assaults.

    “What this does show is that each on the web consumer is vulnerable to compromise and wrong economical prices ought to their social-media accounts be compromised and used to purchase advertisement campaigns on the corresponding platforms,” Clements stated. “Users really should make certain that two-factor authentication is enabled on all of their on the web accounts and that they do not reuse the exact password across diverse websites or mobile apps. ”

    Facebook has not responded to Threatpost’s request for remark.

    Backing up bad steps with general public promoting is very likely to be emulated. Ragnar Locker appears to be somewhat of an influential group inside of the ransomware group. In Sept. scientists noticed the Maze team choosing up the Ragnar Locker trick of distributing ransomware with digital machines, an strategy specialists at Sophos Managed Threat Response known as “radical.”

    However, specialists say, holding specific accounts secure goes a lengthy way to mitigating the risk that teams like these have on the public — and 2FA is a good location to start off despite any inconvenience that running many exclusive passwords can present.

    “Password-supervisor apps can assistance ease the load of remembering unique passwords throughout several internet sites or applications but carry their personal risk must they come to be compromised.” Clements suggested. “Still, the benefits of applying a password manager typically tremendously outweigh the opportunity downsides.”

    Hackers Put Bullseye on Health care: On Nov. 18 at 2 p.m. EDT find out why hospitals are finding hammered by ransomware assaults in 2020. Save your location for this Absolutely free webinar on health care cybersecurity priorities and listen to from primary security voices on how knowledge security, ransomware and patching want to be a precedence for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, restricted-engagement webinar.