It is now common for ransomware gangs to steal data prior to encrypting files and to issue threats to publish or sell the stolen data if the ransom is not paid.
This double extortion tactic was started by the Maze ransomware gang in 2019 but has since been adopted by many different threat groups. While companies attacked with ransomware usually have backups and can restore their systems in the event of an attack, the reputation damage and breach costs from having stolen data publicly exposed or sold adds an extra incentive to pay up.
Many threat groups now have their own leak sites that they use for this purpose, and there have even been cases where ransom demands have been issued to individuals to stop their embarrassing data from being exposed, in addition to the ransom issued to the breached company.
Now a new tactic has now been observed which is intended to pile pressure on breached companies. One ransomware gang has used a hacked Facebook account to set up Facebook adverts promoting their attack and threaten to release the data stolen in the attack.
On November 3, 2020, Campari Group suffered a ransomware attack involving Ragnar Locker ransomware. Prior to the encryption of files, around 2 TB of files were exfiltrated by the attackers. A ransom demand of $15 million in Bitcoin was demanded for the keys to unlock the encrypted files and to ensure the deletion of the stolen data.
When the ransom was not paid, the attackers used the hacked Facebook account of Chris Hodson to set up adverts, which came out of the funds of Hodson Event Entertainment. The adverts, titled ‘Security Breach of Campari Group Network,’ warned that sensitive data stolen in the attack would be publicly released.
Campari Group had previously issued a statement about its attack in which the group said, “at this stage, we cannot completely exclude that some personal and business data has been taken.” The Facebook adverts pointed out that data was definitely stolen in the attack, with the Ragnar Locker gang confirming “ huge volume of data” was stolen – 2TB – which would be offloaded if Campari Group did not negotiate a payment.
Facebook identified the fraudulent adverts and shut them down, but not before the adverts had been displayed to around 7,150 Facebook users.
It is too early to tell whether this will now become a regular tactic used to encourage victims to pay; but it is a good idea for all Facebook advertisers to ensure that 2-factor authentication is set up on their Facebook accounts to prevent their funds being drained in the event of their login credentials being compromised and used in a malicious ad campaign.