November 10, 2020

It’s bad enough that many ransomware gangs now have blogs where they publish data stolen from companies that refuse to make an extortion payment. Now, one crime group has started using hacked Facebook accounts to run ads publicly pressuring their ransomware victims into paying up.

On the evening of Monday, Nov. 9, an ad campaign apparently taken out by the Ragnar Locker Team began appearing on Facebook. The ad was designed to turn the screws to the Italian beverage vendor Campari Group, which acknowledged on Nov. 3 that its computer systems had been sidelined by a malware attack.

On Nov. 6, Campari issued a follow-up statement saying “at this stage, we cannot completely exclude that some personal and business data has been taken.”

“This is ridiculous and looks like a big fat lie,” reads the Facebook ad campaign from the Ragnar crime group. “We can confirm that confidential data was stolen and we talking about huge volume of data.”

The ad went on to say Ragnar Locker Team had offloaded two terabytes of information and would give the Italian firm until 6 p.m. EST today (Nov. 10) to negotiate an extortion payment in exchange for a promise not to publish the stolen files.

The Facebook ad blitz was paid for by Hodson Event Entertainment, an account tied to Chris Hodson, a deejay based in Chicago. Contacted by KrebsOnSecurity, Hodson said his Facebook account indeed was hacked, and that the attackers had budgeted $500 for the entire campaign.

“I thought I had two-step verification turned on for all my accounts, but now it looks like the only one I didn’t have it set for was Facebook,” Hodson said.

Hodson said a review of his account shows the unauthorized campaign reached approximately 7,150 Facebook users, and generated 770 clicks, with a cost-per-result of 21 cents. Of course, it didn’t cost the ransomware group anything. Hodson said Facebook billed him $35 for the first part of the campaign, but apparently detected the ads as fraudulent sometime this morning before his account could be billed another $159 for the campaign.

The results of the unauthorized Facebook ad campaign. Image: Chris Hodson.

It’s not clear whether this was an isolated incident, or whether the fraudsters also ran ads using other hacked Facebook accounts. A spokesperson for Facebook said the company is still investigating the incident. A request for comment sent via email to Campari’s media relations team was returned as undeliverable.

But it seems likely we will continue to see more of this and other mainstream advertising efforts by ransomware groups going forward, even if victims really have no expectation that paying an extortion demand will result in criminals actually deleting or not otherwise using stolen data.

Fabian Wosar, chief technology officer at computer security firm Emsisoft, said some ransomware groups have become especially aggressive of late in pressuring their victims to pay up.

“They have also started to call victims,” Wosar said. “They’re outsourcing to Indian call centers, who call victims asking when they are going to pay or have their data leaked.”


41 thoughts on “Ransomware Group Turns to Facebook Ads

  1. Skeptic

    And the Facebook management is all fine with this ….

    Helloooo!

    1. Christoph Schmees PC-Fluesterer. info

      it’s all about the money … 🙁

  2. DelilahtheSober

    Another odd thing that’s happening to me is that I am receiving many email notifications from Facebook every day alerting me about new friend requests. But there is never any one of these friend requests showing when I log into Facebook. I make a point of never opening or clicking on links from Facebook generated emails.

    1. Skeptic

      Here is the solution: tag all emails from “facebookmail.com” domain as junk. Whatever “facebook” mail appears in your inbox will be spam!

      1. gov_lover

        Better yet delete any account associated with anything remotely related to Facebook.

  3. DelilahTheSober

    Another thing I find fascinating? I believe that Facebook is totally losing an entire demographic/generation. I am a university student and last year everyone in a specific course was required to open a Facebook account. I already had one but I’m over the age of 40. But not even one of these 18-24 year olds in my class – and these are all wealthy kids, had a Facebook account. At the immediate end of the semester, every single one of these kids closed that Facebook account. I still keep in contact with them via other means, but none of them are interested in Facebook.

    1. Sam

      As a younger person I would agree. Nobody uses Facebook and I always think it’s funny how “huge” it still is considering in my world everybody thinks it’s a joke. I don’t know how many more decades it will take but eventually Facebook is going to completely crash.

      1. Jasbat

        Not if you’re an Oculus 2 VR, unfortunately a facebook sign-in is required to use this awesome VR device.

    2. Skeptic

      “I am a university student and last year everyone in a specific course was required to open a Facebook account.”

      Given the amount of tracking FB accomplishes through an “account” I’d think youy might have a good point with college administration that this “requirement” is out of bounds.

      1. DelilahTheSober

        The course was about public relations and the professor (and the administration) want students to be able to navigate in all kinds of online worlds. That was why everyone in the class was required to open a Facebook account. It actually made sense in that context – because there was a great focus in the course about the skills necessary to manage a public relations crisis in today’s world.

  4. The Sunshine State

    People need to stop using Facebook, the whole website is becoming a huge joke.

  5. Indian Rediff

    Couple of things ref: Facebook. I use Android (an admittedly poor security choice – but bear with me). I use Tinfoil for Facebook instead of the App. It is a thinly skinned browser that uses the m.facebook.com site and kills all the FB cookies after I exit the ‘app’. Result – my phone is free of all FB cookies. I am guessing that FB doesn’t know, via any of my other apps, that I have a facebook account.

    Secondly, on my desktop, I use Firefox along with multi-account containers. I also use an add-in called social-fixer. This combination ensures that FB is well isolated and does not contaminate my other browsing.

    Thirdly, I make liberal use of the multi-account containers to isolate almost each and every website that I regularly visit. Result is a clean browsing experience with no contimination.

    Lastly, I have NoScript and a variety of other add-ins, which ensures that none of the advertising companies every have their scripts running. Again, my browsing experience is like no one elses. And there are some sites that I simply cannot view. I leave them be and don’t visit them.

    1. jimmf

      Firefox, adblock plus, no script are essential, but too many of us overlook DNS (sorry phone users). I started with 127.0.0.1 doubleclick.net and had quite a few such entries until I found MVPS HOSTS at http://winhelp2002.mvps.org/hosts.htm. This is a great block list for me so far. With these tools my use of the Internet is mostly Ad free. Without them, like on my phone, the Internet is mostly unusable.

      1. Clay_T

        I agree with all, except AdBlock Plus.
        ABP sold out to big advertising many years ago.

        uBlock Origin is still true to the cause, plus it works with Firefox mobile.
        uBO’s ‘Block Element…’ context feature is sweet for cleaning clutter off pages.
        (ymmv. not affiliated. yada yada…)

        [I have blocking disabled on this site. Thanks Brian!]

  6. chrissuperpogi

    This is sad.
    There are a lot of people who use FB to socialize given that this pandemic is not giving us a lot of options. Plus, our local businesses depend on that same network to (hopefully) thrive in this economy.
    Hope something could be done…

    1. gov_lover

      Its not the pandemic, its the government crackdowns and restrictions on your individual rights. But remember, if you beg to be spied on, tracked, locked down, monitored, etc., thats what you will get. And you will claim I’m a right wing extremist because I don’t want to live in George Orwell’s 1984. You will wake up in a nightmare and wonder how it happened, but you need only to look in a mirror.

  7. Jason

    I wonder what ransomware groups would do to get payment if cryptocurrency was impossible for a business to acquire. I’m guessing most other forms of payment would be easier to track and recover, meaning much less profit and far far far greater risk.

    Might put at least some of them out of business,, or make them less effective (fewer resources to adapt to advances in detection etc), and maybe even move ransomware from top tier risk to something only security professionals think about.

    Then again there are so many rich folks and governments profiting off it, cryptocurrency will be here to stay… As will ransomware.. at least that’s my guess.

    1. Joe

      In the days before cyber currency the most common way to collect the ransom was via a series of wire transfer transactions that bounced between various bank accounts and countries instantly until the money was virtually impossible to trace. Eliminating cyber currency wouldn’t reduce ransom ware attacks.

  8. NO-CENSORS

    It’s time to stop supporting anyone that is censoring content. That means, for the most part, I won’t visit or support any of the big tech firms, until they practice supporting our US constitution, rather than trying to abolish or substantially change it. The Bill of rights… all of it, was fought for, and well thought out. All those in power took an oath to defend it. Instead, they took the oath and then set out and seek to destroy it — their words, not mine.

    (I’m a regular reader, but I’m obscuring my ID, at least for now… so I’m not targeted.) I’ve been boycotting FB for over a year. Twitter?? (Waste of time, anyway.) But, there may be some new alternatives coming… maybe. Google? OK, they can monitor me for now, no matter what I do. But, I do not use their search anymore. If I do, it is on an incognito screen, often with VPN. Amazon?? Yeah, I will find another way to buy books if possible. If I can, I’ll support anyone other than Amazon. Boycotting selling books they don’t agree with?? Fake news from their newspaper, the Post?? I’ve had enough. We need another tea party and throw the tech giants over the side, until and unless they fully practice, and don’t just talk about free speech.

    The USSC has only one job… to interpret and apply the existing constitution. There’s only two reasons why you’d want to replace our existing court.
    — 1. They are incompetent or not supporting their oath to uphold the existing constitution.
    — 2. Or, you are replacing them because you want them to ignore the existing constitution, and either rewrite it, or ignore what it says.

    “Packing” or adding many more justices… This means, diluting what’s there, until what they were doing, is now irrelevant. That’s similar to what I do when I change the oil in my car. I don’t “change every drop”, I just dilute the “bad”, and add more “good oil”. This is how you can “become or control the court”, and subvert it’s purpose that I don’t like. If so, why support or call it a constitution??

    1. (TLDR)

      You are crazy. You do not have writing rights on all possible hosts.
      You will follow EULA’s and TOS, or you will be gone. Period.

      If you’re only NOW boycotting FB for ‘over a year’ over DT politics?
      Then you’re a simpleton, thus explaining your rant completely.

    2. Belli H

      Every young kid I know (from my own children up to children across the extended family, and from volunteering at several grade K1-12 grade levels) all swear up and down that they don’t use Facebook, never have, never will.

      Then the very next words out of their mouths are: “We use Instagram” ” or “We use WhatsApp” when we communicate with our friends. I shake my head, start laughing, inside, of course, and just respond: “That’s great.”

      And then I go home and enter orders to buy more FB stock on every pullback that I can when I have some spare scratch lying around.

      If FB ever stops being mentioned by society as the ‘great evil’, or being covered in an ancillary way by authors like Brian, or from people writing attacks and rants on Facebook, or whatever, I will sell all of the FB I’ve bought over the past decade. I will then move it on to the next flavor of the times that is the new evil.

      Humans are the strangest species surely in this galaxy (not sure about Universe, hopefully something, anything, is screwier than us). When any change comes to their world, they yap, scream and holler like hyenas while still, without hesitation, engaging in it. Just try not using a computer,a tablet, a smart phone, no digital device whatsoever, for a week, maybe a month, and report back. Yeah, lol, I thought not…

      H.L. Mencken had no idea how right he was when he wrote:

      “No one ever went broke underestimating the intelligence of the American public”.

    3. Levi

      For the upteenth time, the 1st Amendment protects your right to speak from government interference – end of story. Last time I checked FB and other anti-social media companies like Twitter were private companies with shares that are publicly traded. When ratified in 1791 the 1st Amendment did not grant anyone a right to other people’s printing presses. Let’s fast forward to the 21st century. You do not have a right to say or publish anything you want on the digital platforms of any business, just as you don’t have such a write to publish to the online editions of the New York Times or New York Post.

      Any questions?

    4. William

      “Although the First Amendment says “Congress,” the Supreme Court has held that speakers are protected against all government agencies and officials: federal, state, and local, and legislative, executive, or judicial. The First Amendment does not protect speakers, however, against private individuals or organizations, such as private employers, private colleges, or private landowners. The First Amendment restrains only the government.”

      https://constitutioncenter.org/interactive-constitution/interpretation/amendment-i/interps/266

      Lesson for the day……

      1. Dan Olsen

        This specious argument comes up a lot regarding platform censorship. While I fully support individual and private enterprise freedoms, that ship has sailed.

        Yes, the 1st amendment only constrains the government, but more recent federal law and human decency says that if you have a business like a printing press or cake oven and you offer services to people generally, you are compelled to offer those services equally regardless of your feelings about the customer – including their ideas of appropriate sexual activities or religious views which you may disagree with. While religion is not an unlimited umbrella for ideas, it’s pretty clear that people and the law have considered it somewhere between douchey and criminal to discriminate based on a difference of opinion.

        Secondly, common carrier protections – Remember that big debate about “Net Neutrality”? The gist of that was codifying in law the non-discrimination aspect of the common carrier doctrine as it applies to communications. The Left was adamant about getting more government regulation involved in the peering arrangements of private ISPs so that evil corporations like Comcast couldn’t charge more – e.g. to Netflix and Amazon for the privilege of access to Comcast’s customers, or block access to types of traffic e.g. torrents, etc. While it specifically applies to ISPs, the principles where clear – zero discrimination based on user, content, website, platform, application, type of equipment, source address, destination address, or method of communication. The common carrier concept derives from the carriage of letters, cargo people, etc. A common carrier provides service to the public _without discrimination_, as opposed to a contract carrier who can discriminate, but also accepts more liability for what their customer is asking them to carry. Common law does not favor the censors.

        Section 230 of the CDA of ’96 protects providers and users from being treated as the publisher or speaker of information provided by another content provider. This relief from liability for user content is what has allowed the internet to flourish in the U.S. In most of the rest of the world, Yelp could be sued over an inaccurate/libelous review, but that little section of law makes clear that it is the user rather than Yelp, who is responsible for that content. Now if Yelp were to start curating content – e.g. annotating comments with links to their own opinions about the mater, or blocking content that is not otherwise illegal or objectionable, but on the basis of their own viewpoints, it starts to become less clear that Yelp isn’t at least a partial contributor / provider of that content, and as such accepting liability for publishing or speaking that content. I don’t know why they would risk giving up their section 230 protection by getting involved at all with modifying or curating user content. The same goes for Twatter and the like, blurring the line between simply publishing user content, and getting inovled in creating/modifying content opens them up to huge liabilities compared to a hands off approach.

      2. gov_lover

        These mega companies have become the public discourse, and the first amendment must apply. We can’t allow selective censorship and erasure of people from history. Thats what the soviets did to people, erase them from history if they said 1 thing the powers that be didn’t like.

  9. Lenny

    I believe we need to make stronger efforts against the bitcoin exchanges that are being used for ransomware funds. While it may be difficult to take them offline, a concentrated effort by the U.S., EU and other countries to NOT allow the exchange to be reached will limit who can access them and will impact the marketplace for bitcoin. Do not allow trading around bitcoin, etc (I don’t know of all the possibilities, but an effort must be made around the acceptance and converting to cash).

    If we can isolate bitcoin to our common enemies, i.e. Russia, et.al., then we limit their outreach and can focus our efforts on the bad actors.

  10. Jamie

    This kind of thing happens nowadays. I think it is necessary to take action by the state.

  11. piffs

    #deleteFacebook, if you haven’t already… and yes that includes any Facebook owned companies, like Instagram or whatsapp. Most people are on Discord instead anyway

  12. Rodney Brazil

    Wow! This is nuts. It’s not surprising, though, that ransomware pirates need marketing support. Every business I know has encrypted cloud backups of nearly everything, so they would never need to pay a ransom.

Comments are closed.