Ransomware Gang Devises Innovative Extortion TacticRagnar Locker's Facebook Ad Stunt a Harbinger of New Approaches
The gang behind the Ragnar Locker ransomware posted an ad on Facebook in an attempt to publicly shame a victim so it would pay a ransom. Security experts say the innovative tactic is indicative of things to come.
Earlier this week, the cyber gang hacked into a random company's Facebook advertising account and then used it to buy an ad containing a press release stating Ragnar Locker had breached the Italian liquor company Campari and demanded it pay the ransom or see its data released. The security firm Emsisoft provided an image of the ad to Information Security Media Group.
"What we're seeing right now is the rise of ransomware 2.0," says Dmitry Bestuzhev, a researcher at the security firm Kaspersky. “By that I mean, attacks are becoming highly targeted and the focus isn't just on encryption; instead, the extortion process is based around publishing confidential data online."
Start of a Trend?
Security experts say ransomware gangs increasingly will try new stunts to force their targets to pay up.
"I've not seen a play like this before, but it's not at all surprising. Ransomware groups push out press releases and do media outreach, so this was a logical extension," says Brett Callow, threat analyst with Emsisoft.
Chris Hauk, consumer privacy champion at Pixel Privacy, says "Facebook shaming" could be an effective method of pressing for a ransom payment by publicizing a breach to a targeted company’s customers.
"While I hesitate to say I am entertained by the creative methods the bad actors of the world are using to pressure companies to pay after a ransomware incident, I will admit I am intrigued," Hauk says.
The Ransomware Attack
Campari said in a Nov. 2 statement that it had been struck by ransomware the previous day. On Nov. 6, the company issued an update saying some systems were encrypted and some data had been lost, although at that time it did not know the extent of the damage.
On Nov. 9, Campari reported some systems had been recovered but others remained “temporarily and deliberately either suspended or operating with limited functionality across multiple sites, awaiting their sanitization or rebuild in order to resume all systems in a fully secure way."
Ragnar Locker's Evolution
The Ragnar Locker ransomware gang first came onto the scene in 2019 but remained off most radar screens until the first half of this year when it began a series of highly targeted attacks.
Whatever It Takes
As more organizations improve their ability to recover from a ransomware incident, cybercrime syndicates are devising new strategies to win ransom payments.
In October, for example, Finnish mental health provider Vastaamo reported that, after it refused to bow to the ransom demands of attackers following a breach, the threat actors threatened patients with exposure of their data if the demands were not met (see: Patients Blackmailed 2 Years After a Breach).
"This indicates that these bad actors are willing to do whatever is needed to increase their return on investment, even if it means ruining innocent victims' lives," Hauk says.
Kaspersky's Bestuzhev says an extortion approach that includes posting data opens the victim to a variety of legal issues.
"Doing so puts not just companies' reputations at risk but also opens them up to lawsuits if the published data violates regulations like HIPAA or [the EU's] General Data Protection Regulation. There's more at stake than just financial losses," Bestuzhev says.
Brian Higgins, security specialist at Comparitech, notes: "Criminal organizations will always seek to exert maximum pressure for minimum effort in order to force their victims to pay up."