Threat Actors Committing Ransomware Evolve Their “Marketing” Strategy
First entering the cybercrime scene around 2012, ransomware has since become one of the most nefarious means for hackers to make quick money. But a ransomware group has now started to run Facebook advertisements to pressure victims into paying a ransom. In November of 2019, a new double-extortion strategy was adopted by some ransomware groups that involve hackers stealing unencrypted files before then encrypting the compromised devices. The attackers then threaten to release those stolen files on ransomware data leak sites if a ransom is not paid.
Earlier this month, the threat actors behind the Ragnar Locker ransomware seemingly compromised Italian liquor company Campari Group with a ransomware attack, stealing an estimated 2 TB of unencrypted files before encrypting their network. In an attempt to increase the pressure on Campari to pay the $15 million ransom, the threat actors hacked into a Facebook advertiser’s account and created advertisements promoting their attack on the liquor company. The advertisements warned that the stolen data would be published if the ransom was not paid.
The Facebook advertisement was titled “Security breach of Campari Group network” by the “Ragnar_Locker Team” and warned that further sensitive data would be released. Chris Hodson, the hacked Facebook account owner, claims that the advertisement was shown to over 7,000 Facebook users before Facebook detected it as a fraudulent campaign. Ransomware actors have long threatened to escalate their extortion attempts by contacting stock exchanges, major media, and clients about a victim’s attacks and loss of data. This new tactic of promoting attacks through Facebook shows the continuing evolution of ransomware extortion. Ransomware attacks have proven to be quite profitable for hackers and we should expect to see more of these attacks and escalations in the future.
Sources: