Ransomware gang takes out Facebook ads to apply pressure on victim


  • Campari Group was infected by ransomware earlier this month
  • Ragnar Locker Team used hacked Facebook accounts to apply pressure on blackmail victims.

It’s a story we’re sadly all too familiar with.

A company, in this case Italian liquor company Campari, is attacked by ransomware, planted by hackers who have compromised the firm’s network. Its files and devices are encrypted – locking the business out of its data, but not before the sensitive information has been exfiltrated by the criminal gang.

The attackers leave a ransom note on the breached network saying that a sizeable ransom must be paid – not only for the decryption key for the now garbled files, but also to prevent the stolen data from being shared on the internet or sold on to other criminals.

In an increasing number of instances, the hacking gang may even attempt to get the assistance of technology journalists, tipping them off about the contents of stolen files, hoping that negative press coverage might encourage their corporate victims to pay up rather than have their brand and public image damaged.

But now at least one cybercrime gang appears to have found a new method to raise the pressure on those they are blackmailing.

As cybercrime blogger Brian Krebs reports, the Ragnar Locker ransomware gang has taken the eyebrow-raising step of buying Facebook ads to tell the world it has infected drinks manufacturer Campari.

According to Krebs, the gang has used a hacked Facebook account to buy adverts on the social network.

The ads, which describe themselves as a “Ragnar_locker Team Press Release” publicise the security breach of Campari Group’s network, and that its network has been encrypted as a result of the ransomware attack.

What seems to have really upset the criminals, however, is Campari’s failure to confirm if any data has been stolen from its network:

“This is ridiculous and looks like a big fat lie,” says the Facebook ad. “We can confirm that confidential data was stolen and we talking about huge volume of data.”

The ad continues to give Campari Group a deadline (6pm on November 10th) to agree terms with the Ragnar Locker extortionists.

So, shouldn’t it be easy to identify who is behind the ransomware attack by identifying who purchased the Facebook advert?

Unfortunately, it’s not as easy as that. You see, the Facebook ad was posted by a company called Hodson Event Entertainment, belonging to a Chicago-based DJ. It appears that the hackers compromised the Hodson Event Entertainment account and then attempted to spend $500 of its Facebook advertising budget to launch the marketing campaign.

As a result, according to DJ Chris Hodson, over 7000 Facebook users saw the ad, with some 770 users choosing to click. The numbers would have been much higher if Facebook had not determined that the ad campaign was fraudulent.

Facebook says that it is investigating if the hackers might have run similar ad campaigns from other hacked accounts.

What can you do about it? Well, if you don’t like the idea of your Facebook account being exploited to do the dirty work of extortionists I would recommend that you take great care with your password, and ensure that you have two-factor authentication (2FA) enabled.

2FA is not a 100% cast iron guarantee that hackers will never be able to break into your account, but it certainly makes their job much more difficult. In many cases, attackers will simply move on to find a softer target if they find you have hardened your defences.