Ransomware Gangs Are Now Running Advertisements on Facebook

Last updated July 10, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

There’s a wacky piece of news circulating in the past couple of days, indicating a new space where ransomware groups are taking hold. Apparently, the hackers are taking over Facebook accounts to run advertisements that warn their victims of the security breach incident, applying more pressure to them into paying the requested ransom. Bleeping Computer reports that “Ragnar Locker” is leading this trend at the moment, with the recent Campari attack being the pilot case for it.

Ever since ransomware actors entered the controlled data-leaking space, their methods became more and more sophisticated. They set up dedicated portals, then moved to release well-crafted press releases that radiate a supposed professionalism, and now we see Facebook ads. It is clear that ransomware groups have the means, money, and skills to do whatever they want or imagine.

Source: Bleeping Computer

So, “Ragnar Locker” hacked into an advertiser’s account or paid someone else to do it for them, and then created advertisements to promote their Campari attack. This incident resulted in stealing 2TB of data, which is now held for a ransom of $15 million.

According to stats shared with the hacked person with Brian Krebs, the campaign managed to reach 7,150 Facebook users and generated 770 clicks, making about $160 in revenue.

Source: KrebsOnSecurity

Of course, Ragnar Locker isn’t going for ad revenues, but for raising the heat on Campari, forcing them to pay the ransom or be ridiculed everywhere online - Facebook included. The campaign has already been reported as fraudulent, and Facebook took it down, but the threat actors could keep on doing that again and again, for as long as they please really.

Related: Phishing Actors Are Taking Advantage of Facebook’s Small Business Grants Program

Ransomware groups are getting very persistent as victims deny to pay or can’t meet the demands. Emsisoft researcher Fabian Wosar has stated that they have reports about hackers indirectly calling the victims to convince them to pay the ransom. This task is outsourced to Indian call centers, which is another indication that ransomware actors will do everything to get the money.

We expect to see more ransomware actors doing the same, and maybe even more in the future. Facebook is currently investigating the incident, but it doesn’t look like they can do much to prevent anything like that from happening again in the future.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: