Facebook Ads Taken Out by Ragnar Locker Ransomware

Posted by Norma Stratton on

Facebook Ads Taken Out by Ragnar Locker Ransomware as a New Tactic

The Ragnar Locker ransomware group followed up their November 3rd attack on Italian liquor producer Campari by taking out Facebook ads in which they threatened to release 2TB of stolen data if they did not receive $15 million paid in Bitcoin. Campari Group acknowledged the attack.

Double-Extortion with a Twist

This new tactic is a twist on the existing double-extortion tactic, which sees cyber criminals lock organizations out of their own systems and then threatening to release stolen data to the public unless their demands were met. By using Facebook Ads to inform the public that the company’s sensitive data has been compromised, Ragnar Locker ransomware group is able to put additional pressure on Campari to comply, lest the public believe they are not willing to protect the data.

The ads were first spotted on November 9 by researcher Brian Krebs and were entitled “Security Breach of Campari Group Network.” The ads were purchased using a hacked Facebook account and were shown to more than 7,000 users before they could be pulled down.

Using this approach to harass victims may be new, but it is entirely in keeping with how cybercrime groups operate.

A New “Wall of Shame”

The Ragnar Locker group was first seen in 2019 and by last April, were threatening to make stolen data public when they launched their Wall of Shame site. It has been noted that the executables for both the Campari ransomware attack and another attack on video game developer and publisher Capcom were signed by the same cert, indicating tying both to the Ragnar Locker group. It also may signify a growing confidence in their methods, especially given that with this new tactic of advertising publicly, they are actively flaunting their activities.

The act of advertising has also demonstrated that even the average Facebook advertiser is now vulnerable to compromise from Ragnar Locker, potentially resulting in false financial charges by having their accounts used to purchase ad campaigns. Users should take this as a reminder to ensure that all their accounts have two-factor authentication enabled and, as always, use different passwords for different websites and mobile applications.

Ragnar Locker seems to be a somewhat influential group among those using ransomware. Already, the Maze group has been observed emulating Ragnar Locker’s tactic of distributing ransomware with virtual machines, so it’s likely that we will see others begin to use public advertising in a similar manner.

Keeping your individual accounts secure can help reduce the threat posed by groups like these, and two-factor authentication is a valuable defence, even if you find managing multiple passwords challenging or just inconvenient. Password managers can always help in that regard, and the inconvenience of multiple passwords is certainly less than that of being compromised.


Every business should assume they have either been attacked, are being attacked, or will be attacked. Fast detection and swift response are the small business owner’s only defense.

You can access my Free Ebook=> “WHAT’S AT STAKE FOR YOUR BUSINESS?” 

If you suspect you may have a data breach. It is essential to get it check out immediately.

We hope this information is helpful we want to make this as easy as possible for you, eliminate the learning curve, and inform you all about the dangers your company may face when exposed to cybersecurity.

We love hearing your feedback and on your cyber concerns

Safe Harbour Canada | Safeharbor USA | “Smooth Sailing"

W: https://www.shi.co