Ransomware Group relies on Facebook advertising – Krebs on Security
It’s bad enough that many ransomware gangs now have blogs posting data stolen by companies that refuse to extortion. Now a criminal group has started, hacked Facebook Accounts to publicly display ads urging their ransomware victims to pay.
On Monday evening, November 9th, an advertising campaign apparently discontinued by the Ragnar Locker team appeared on Facebook. The ad was supposed to twist the screws of the Italian drinks seller Campari group, who admitted on November 3 that their computer systems had been sidelined by a malware attack.
On November 6th, Campari issued a follow-up statement stating: “At this point in time, we cannot completely rule out the possibility that some personal and business information has been collected.”
“This is ridiculous and looks like a big fat lie,” reads the Ragnar crime group’s Facebook ad campaign. “We can confirm that confidential data has been stolen and we’re talking about huge amounts of data.”
The ad went on to say the Ragnar Locker team had dumped two terabytes of information and would give the Italian firm until today (November 10) at 6 p.m. EST to negotiate extortion in exchange for a promise to retrieve the stolen files not to publish.
The Facebook ad flash was paid for by Hodson event entertainment, an account tied to Chris Hodson, a Chicago DJ. Contacted by KrebsOnSecurity, Hodson said his Facebook account had actually been hacked and the attackers had budgeted $ 500 for the entire campaign.
“I thought I turned on two-step verification for all of my accounts, but now it looks like Facebook is the only one I didn’t set it up for,” Hodson said.
Hodson said a review of his account showed the unauthorized campaign reached around 7,150 Facebook users and generated 770 clicks with a cost-per-result of 21 cents. Of course, it didn’t cost the ransomware group anything. Hodson said Facebook billed him $ 35 for the first part of the campaign, but apparently discovered the ads as fraudulent sometime this morning before his account could be billed an additional $ 159 for the campaign.
It is unclear whether this was an isolated case or whether the fraudsters also placed ads via other hacked Facebook accounts. A spokesman for Facebook said the company is still investigating the incident. A request for comment emailed to Campari’s media relations team was returned as undeliverable.
However, it is likely that we will see more of these and other mainstream promotions from ransomware groups in the future, even if victims really don’t expect paying a ransom note to result in criminals actually deleting or otherwise refusing to use stolen data .
Fabian Wosar, Chief technology officer of computer security company Emsisoft, said some ransomware groups have become particularly aggressive recently to pressure their victims to pay.
“They also started calling victims,” said Wosar. “They are outsourcing to Indian call centers that call the victims and ask when they are paying or their data has been leaked.”