Threat Watch

Ransomware Group Used Facebook Ads to Pressure Victim

Modern ransomware was first introduced in 2012 and has been constantly evolving over the years to increase damage to victims and force payment to the criminals. The new evolution, pioneered by the Ragnar Locker operators, is that they used a hacked Facebook advertiser’s account to create advertisements promoting their latest attack, which happens to be against the Campari Group, in an attempt to put more pressure on the victim to pay the extortion demand. The Campari Group is an Italian liquor company that suffered a ransomware attack that claims to have stolen 2 terabytes of data before encrypting the company’s network. The attackers are demanding a $15 million USD ransom. For the first time, the Ragnor Locker gang hacked a Facebook account and ran advertisements that warn Campari customers that the company’s data will be published if they do not pay the ransom. The advertisement was titled “Security breach of Campari Group Network” by the “Ragnar_Locker Team” and warned that their data could be released. Chris Hodson, the hacked Facebook account holder, stated that the advertisement was shown to over 7,000 users before Facebook detected the fraudulent campaign and removed it. This new tactic shows that ransomware attacks are and will continue to evolve as attackers try to extort larger payments from companies.

ANALYST NOTES

Ransomware operators claim that as part of the deal they will delete the stolen data. However, ransomware negotiations service Coveware has found that the attackers are increasingly not keeping their promise to delete the stolen data so they can use the data for further attacks. If there is any way to avoid it, ransom payments should not be made because they fuel future attacks. Law enforcement agencies should be notified of attacks as soon as they are discovered. The best strategy is to invest in security measures to keep attackers out and quickly detect security breaches to stop threat actors from being able to steal or encrypt data files in the first place. Security analysts must be available 24/7 to respond because threat actors strike at the times they believe to be off-hours most often.

Source Article: https://www.bleepingcomputer.com/news/security/campari-hit-by-ragnar-locker-ransomware-15-million-demanded/