Ransomware Operators Hacked Facebook Accounts to Run Extortion Ads

Everyone knows that ransomware is one of the most active threats in the current era, and it’s mainly due to the great benefits it returns to its operators. According to a report, the developers of the Sodinokibi/REvil ransomware have made a profit of more than $100 million in just one year.

It seems that attackers are constantly proposing new approaches to extort money from their victims. As the developers of the Ragnar Locker have taken advantage of access to a computer that is already infected with their malware to get access to the Campari Group Facebook account; It’s the Italian liquor company that seemingly suffered an attack by the Ragnar Locker ransomware.

In the first phase, the attack occurred on November 3, in which the Ragnar Locker managed to steal 2TB of sensitive data and demanded a ransom of $15 million in Bitcoin. Below you can see the ransom note offered by the Ragnar Locker operators.

Hacked Facebook Accounts to Run Extortion Ads

In the second phase, the security researcher Brian Krebs spotted the Facebook ad on November 9. Here, the operators of the Ragnar Locker purchased the ads using Chris Hodson’s hacked Facebook account. And latter spread this ad among more than 7,000 users before Facebook noticed and deleted it, and generated more than 700 clicks.

Moreover, the owner of the hacked Facebook account, Chris Hodson, later affirmed that for this ad campaign, Facebook billed him $35.

While on November 6, the Italian liquor company, Campari, issued a follow-up statement in which they asserted that “at this stage, we can’t completely exclude that some personal and business data has been taken.”

In this ad campaign, the threat actors used this title “Security breach of Campari Group network” by the “Ragnar_Locker Team” to spread their ad on Facebook. Here, the main aim of the threat actors is to achieve the reputation of the victim, and in this case, it’s Campari. 

By revealing to the public the fact that the data of Campari was stolen and the company was compromised, the operators of the Ragnar Locker are frequently perfecting the communication around their exploits. 

Just like others, the Ragnar Locker has also quickly managed to create a new form of medium to spread their ill-disposed fruits by identifying the victims and the size of the data stolen.

This event clearly shows that cybercriminals not only find ransomware one of the most lucrative businesses, as they also try to maximize their profits by incorporating new forms of extortion.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Leave a Reply