When a damaging data breach occurs, it’s important for the targeted organization to respond with transparency and control the incident-response message that gets communicated to potential victims. But now ransomware actors have devised a new way to disrupt that message and fan the flames of negative publicity.
Earlier this month, the Ragnar Locker ransomware gang took over one or more Facebook user accounts and used them to purchase online social media advertisements designed to embarrass one of its recent double-extortion victims, Italian liquor company Campari Group.
The tactic is new, and a clear effort to apply added pressure upon victims to pay. It also spotlights a growing concern for organizations targeted by attackers: social media as a medium provides adversaries unfettered access to consumers and a means to directly counter the organization's own messaging on an incident.
Ransomware actors often use their own established naming and shaming websites to announced their latest victims, but “these sites are not being read by the average consumer. Using social media that is accessible to the broader population can result in more reputational harm for [the victim's] business,” explained Kimberly Goody, senior manager of analysis at Mandiant Threat Intelligence, part of FireEye.
For instance, after Campari issued a public statement saying, “we cannot completely exclude that some personal and business data has been taken,” the attackers released their Facebook ad, which reportedly read: “This is ridiculous and looks like a big fat lie. We can confirm that confidential data was stolen and we talking about huge volume of data.”
If the tactic proves useful, attackers could leverage additional social media platforms in the future – forcing companies to device strategies for how to respond and regain control of the message they want to communicate.
Reportedly, the attackers asked for $15 million after encrypting Campari’s files and threatening to publish up to two terabytes worth of stolen documentation, including bank statements, contractual agreements and emails.
Exposure is just one benefit, though.
“Over time, threat groups have strategized various ways to push the envelope when pressuring victims into paying a ransom. Psychologically, this tactic does just that," added Kacey Clark, threat researcher at Digital Shadows. "Bringing this information to a more public platform, such as Facebook, significantly increases the likelihood of brand damage... and negative publicity.”
Ransomware gangs are often known to copy each others' methods, so it's certainly conceivable that other actors could try to leverage social media and social ads to give their diabolical deeds more exposure. And as social media removes the degrees between threat actors and their victims’ customers, Clark said, the tactic will likely serve productive means of further extorting compromised organizations.
The tactic could also evolve to include more account takeovers, along the lines of last summer's Twitter hacking incident during which prominent verified accounts were compromised to promote a cryptocurrency scam.
Moreover, “we could also imagine a scenario where attackers essentially deface a company’s website assuming they were able to obtain the proper credentials, making the attack very public," said Goody.
There are even documented cases of attackers personally communicating with media outlets, clients and sometimes individual victims to spread their message. Just last month, Finnish psychotherapy center Vastaamo disclosed a double-extortion ransomware attack in which the culprits contacted patients to blackmail them with their stolen medical files.
Still, it’s not clear if Ragnar Locker group's latest strategy, first reported by Krebs on Security, will ultimately yield any notable results.
"It’s important that while this Facebook ads tactic is new, we can’t really say that it is effective, as the advertisements haven’t yet caused Campari to come through with payment for their data," said Chad Anderson, senior researcher at DomainTools. The tactic psychologically places pressure on executives that won't want distorted messaging to damage the brand, he confirmed, but RagnarLocker also revealed "their own desperation to get some attention once ignored. They’re the screaming child in the corner at Thanksgiving."
Anderson said Campari has another public relations advantage: they're not the bad guys in this scenario. The onslaught of high-profile ransomware attacks has resulted in consumer awareness, where people understand which is the victim and which is the crook.
“The consumer will side with them – the victim – as long as we aren’t looking at an egregious breach that was trivial to perform, or that contains mounds of personal data,” said Anderson, citing Equifax as an example of the latter.
To ultimately win the messaging battle with ransomware attackers, even those that take bolder tactics, experts advise victimized companies to stay transparent, and don't pay up.
“Taking the hard stance of not negotiating is the proper way to control the message," said Anderson. Moreover, "taking the time to harden their networks while bringing them back online and releasing a PR statement explaining their improvements would [win] the respect of the security community and consumers at large.”
The incident may actually be a bigger PR problem for the social media company than the actual ransomware victim. According to Krebs, the Ragnar Locker group compromised the Facebook account of Chicago-based deejay service Hodson Event Entertainment in order to purchase $500 of the threatening Facebook ads.
Facebook told SC Media that the company's own automated systems actually detected and reverted an attempt to compromise the account in question. Nevertheless, the unauthorized ad campaign reportedly reached 7,150 Facebook users, and generated 770 clicks.
"Facebook should certainly have better controls in place for keeping people from compromising these user accounts," said Anderson. "Two-factor authentication should be mandatory for any major brand’s advertising portal and there should be options where advertisements can’t go out without some sort of human approval. Certificate authorities won’t issue you an EV certificate without calling you, and those are cheap compared to the budget these companies spend on ads."
In its latest corporate statement, dated Nov. 9, Campari Group said that "in the context of its IT systems recovery plan, selected services have been progressively resumed following their successful sanitization and the installation of extra security measures." However, "a number of IT systems remain temporarily and deliberately either suspended or operating with limited functionality across multiple sites, awaiting their sanitization or rebuild in order to resume all systems in a fully secure way."
Campari Group said that because recovery has taken "longer than initially envisaged," the attack is expected to have "some temporary effect on the Group’s financial performance."