The Ragnar Locker ransomware gang has taken to posting ads on Facebook to publicly shame victims into paying ransoms. Security experts say that this innovative new tactic is indicative of things to come.
In November of 2020, the hackers gained access to a victim’s Facebook advertising account. They then bought an ad containing a press release stating Ragnar Locker had breached the Italian liquor maker Campari and demanded that it pay the gang’s ransom demand or see its data released.
Is This the Start of a New Trend?
Experts are saying that ransomware gangs will continue to try new stunts to force their victims to pay. According to Brett Callow of Emsisoft, “I’ve not seen a play like this before, but it’s not at all surprising. Ransomware groups push out press releases and do media outreach, so this was a logical extension.”
Chris Hauk, a consumer privacy champion at Pixel Privacy, added that “Facebook shaming” can now be an effective method of pressing for a ransom payment and added, “While I hesitate to say I am entertained by the creative methods the bad actors of the world are using to pressure companies to pay after a ransomware incident, I will admit I am intrigued.”
The Attack Against Campari
On Nov. 1st of 2020, Campari was struck by ransomware. By Nov. 6th, the company had issued an update saying some systems were encrypted and some of their data had been lost, although at that time, they were not aware of the extent of the damage.
On Nov. 9th, Campari reported the recovery of some systems but stated that others remained “temporarily and deliberately either suspended or operating with limited functionality across multiple sites, awaiting their sanitization or rebuild in order to resume all systems in a fully secure way.”
The Evolution of Ragnar Locker
The Ragnar Locker gang first came onto the scene in 2019, but laid low until the first half of 2020 when it began a series of high-profile attacks. Like the Maze hacking group, the Ragnar Locker gang steals its victim’s files before encryption and, if the ransom demands are not met, it posts data on its leak site.