Skip to main content
close search
site logo
Dive Brief

Facebook ads posted to 'shame' Campari to pay its ransom, report says

Published Nov. 12, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Getty

Dive Brief:

  • Operators behind Ragnar Locker ransomware are using a Facebook ad campaign to pressure Italy-based beverage company Campari Group to pay its ransom, KrebsOnSecurity reported. 
  • The unauthorized ads boasted "we can confirm that confidential data was stolen and we talking about huge volume of data," by the Ragnar Locker operators on Nov. 9. The ads also alleged the group offloaded 2 TB of data and offered Campari a deadline to pay the ransom. 
  • The group hacked the Facebook account of Hodson Event Entertainment, attempting to bill the $159 campaign, on top of an initial $35, to the business before Facebook caught it as fraudulent, according to the report. Hodson's analytics showed the campaign generated 770 clicks.

Dive Insight:

Campari disclosed its hack on Nov. 3 and isolated various systems to stop the spread. The operators asked Campari for $15 million in bitcoin on Nov. 1. 

By Nov. 6, Campari confirmed "there has been some data loss," which is still under investigation to determine the confidentiality of the impacted information. 

"At this stage, we cannot completely exclude that some personal and business data has been taken," the company said. Campari is working with the FBI and the Italian cyber police, and notified its respective data protection authorities. 

Depending on the company or whether a breach occurred, ransomware attacks can go undisclosed, or unacknowledged until financial reports are made available. Had Campari not have disclosed the cyberattack, the Facebook ads might have been more effective.

Ragnar Locker's operators are continuing to "shame Campari even though officials have not reached out to the Ragnar Locker group. Campari is doing the right thing by ignoring their attempts," said Chad Anderson, senior researcher at DomainTools, in an emailed statement to Cybersecurity Dive. 

The Facebook ads were an attempt to push Campari to pay its ransom, a version of a similar tactic ransomware operators use. When ransomware operators added data exfiltration to their attacks in 2019, they also started publicly posting stolen data in retaliation for unpaid ransoms. 

Ragnar Locker's use of Facebook is an "aggressive evolution" for extortion, but "shows the group is getting desperate for their payday," said Anderson.  

In June, the operators behind REvil launched an eBay-like site on the dark web to auction off stolen data. When the pandemic hit stateside and led the U.S. economy into a recession, cybercriminals felt the financial collapse too. 

Victimized organizations are less likely to pay ransoms, and researchers theorize publicly publishing data is an attempt by criminals to recoup costs of their operations. 

As lockdowns are reinstated across European countries and parts of the U.S., researchers expect to see an influx of ransomware attacks. "Any EU provisions for circumventing GDPR fines for these companies … will help avoid a situation where the government is then forcing funding of ransomware groups," said Anderson. 

Recommended Reading

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell