Fraud Management & Cybercrime , Fraud Risk Management , Ransomware

Ransomware Gang Devises Innovative Extortion Tactic

Ragnar Locker's Facebook Ad Stunt a Harbinger of New Approaches
Ransomware Gang Devises Innovative Extortion Tactic
Screenshot of Ragnar Locker's Wall of Shame, where stolen data is exposed (Source: Kaspersky)

The gang behind the Ragnar Locker ransomware posted an ad on Facebook in an attempt to publicly shame a victim so it would pay a ransom. Security experts say the innovative tactic is indicative of things to come.

See Also: Latest on Ransomware and Phishing Attacks

Earlier this week, the cyber gang hacked into a random company's Facebook advertising account and then used it to buy an ad containing a press release stating Ragnar Locker had breached the Italian liquor company Campari and demanded it pay the ransom or see its data released. The security firm Emsisoft provided an image of the ad to Information Security Media Group.

"What we're seeing right now is the rise of ransomware 2.0," says Dmitry Bestuzhev, a researcher at the security firm Kaspersky. “By that I mean, attacks are becoming highly targeted and the focus isn't just on encryption; instead, the extortion process is based around publishing confidential data online."

Start of a Trend?

Security experts say ransomware gangs increasingly will try new stunts to force their targets to pay up.

"I've not seen a play like this before, but it's not at all surprising. Ransomware groups push out press releases and do media outreach, so this was a logical extension," says Brett Callow, threat analyst with Emsisoft.

Chris Hauk, consumer privacy champion at Pixel Privacy, says "Facebook shaming" could be an effective method of pressing for a ransom payment by publicizing a breach to a targeted company’s customers.

"While I hesitate to say I am entertained by the creative methods the bad actors of the world are using to pressure companies to pay after a ransomware incident, I will admit I am intrigued," Hauk says.

The Ransomware Attack

Campari said in a Nov. 2 statement that it had been struck by ransomware the previous day. On Nov. 6, the company issued an update saying some systems were encrypted and some data had been lost, although at that time it did not know the extent of the damage.

On Nov. 9, Campari reported some systems had been recovered but others remained “temporarily and deliberately either suspended or operating with limited functionality across multiple sites, awaiting their sanitization or rebuild in order to resume all systems in a fully secure way."

Ragnar Locker's Evolution

The Ragnar Locker ransomware gang first came onto the scene in 2019 but remained off most radar screens until the first half of this year when it began a series of highly targeted attacks.

Like Maze, the Ragnar Locker gang steals its victim's data prior to encryption and, if the ransom is not paid, it posts samples on its leak site, according to a Kaspersky report.

Whatever It Takes

As more organizations improve their ability to recover from a ransomware incident, cybercrime syndicates are devising new strategies to win ransom payments.

In October, for example, Finnish mental health provider Vastaamo reported that, after it refused to bow to the ransom demands of attackers following a breach, the threat actors threatened patients with exposure of their data if the demands were not met (see: Patients Blackmailed 2 Years After a Breach).

"This indicates that these bad actors are willing to do whatever is needed to increase their return on investment, even if it means ruining innocent victims' lives," Hauk says.

Kaspersky's Bestuzhev says an extortion approach that includes posting data opens the victim to a variety of legal issues.

"Doing so puts not just companies' reputations at risk but also opens them up to lawsuits if the published data violates regulations like HIPAA or [the EU's] General Data Protection Regulation. There's more at stake than just financial losses," Bestuzhev says.

Brian Higgins, security specialist at Comparitech, notes: "Criminal organizations will always seek to exert maximum pressure for minimum effort in order to force their victims to pay up."

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.