Close this search box.

Throwback Attack: Ragnar Locker uses social media to extort the Campari Group

Courtesy: Deborah Cohen
Courtesy: Deborah Cohen

A spate of recent cyberattacks on national critical infrastructure has brought production to a halt in the oil and gas industry, risked dangerous contamination of a water system in Florida, and hindered several local and federal government agencies. But one of the hardest-hit critical infrastructure sectors, as defined by the Cybersecurity and Infrastructure Security Agency (CISA), is food and beverage. In the last year, threat actors have attacked the world’s largest meat processor, JBS, and beverage giant Molson Coors, among others. In November 2020, beverage company Campari Group felt the all too familiar sting of a ransomware attack on its information technology (IT) systems, but this time with a new social media-infused twist.

Major hacks like the one on Campari are generally not done by small, fringe groups — or the stereotype of “one guy sitting in his mom’s basement.” In recent years, ransomware operations have expanded and professionalized, with some criminal gangs using public relations campaigns, issuing press releases and selling “off-the-shelf” ransomware-as-a-service.

The Campari attack was linked to notorious ransomware group Ragnar Locker, which used many time-tested tactics, encrypting Campari’s servers and stealing 2 terabytes of private data. But Ragnar Locker, which came onto the scene in late 2019, also introduced a new innovation, taking out Facebook ads to extort the company for $15 million in Bitcoin and threaten to release the stolen files if Campari refused to pay.

This double extortion tactic — demanding money and threatening to release files — is nothing new for ransomware attackers. The Facebook ads, which let the world know Campari had been hacked and was refusing to pay the ransom to keep its (and possibly their) data secure, had never been tried before.

The Italian corporation, which has been producing liquor and soft drinks since 1860, owns multiple brands — including namesake Campari, Aperol, Grand Marnier, Skyy Vodka and Wild Turkey — that are distributed internationally. On Nov. 3, 2020, Campari released a statement acknowledging a large portion of its IT systems had been taken down as the result of a cyberattack.

“The security and confidentiality of all data is a top priority for us,” the statement read. “Unfortunately, we acknowledge that there has been some data loss: we are still investigating the attack and, in particular, determining to which extent there has been any loss of confidentiality and loss of availability of personal and business data.”

A follow-up statement on Nov. 6 read: “At this stage, we cannot completely exclude that some personal and business data has been taken.”

On Nov. 9, the Ragnar Locker ad campaign, titled Security Breach of Campari Group Network, hit Facebook, countering Campari’s assertion the attack was minor and attempting to shame the megacorporation into paying the ransom.

“This is ridiculous and looks like a big fat lie,” read the ad campaign. “We can confirm that confidential data was stolen and we talking about huge volume of data (sic).”

According to security researcher Brian Krebs, Ragnar Locker used the hacked account of a Chicago DJ to pay for the ads, and the “unauthorized campaign reached approximately 7,150 Facebook users, and generated 770 clicks.” Facebook quickly removed the ads for violating its guidelines prohibiting the promotion of criminal activities, but some experts believe this innovation of threat actors using public advertising and social media to turn the screws on companies is likely to be emulated by other attackers.

The Campari strike was just one in a surge of attacks on the food and beverage sector that has impacted companies such as Mondelez, Arizona Beverages, Wendy’s and MPG Ingredients. One reason food and beverage makers are so attractive to ransomware groups is they can’t afford to shut down production, said David Masson, director of enterprise security at Darktrace.

Digital convergence has linked IT and operational technology (OT) to the extent that even IT-based attacks, like the ones on Mondelez and Molson Coors, tend to force OT systems offline to protect corporate interests. While shutdowns of food and beverage makers can be a matter of national security, they also more immediately impact a company’s bottom line.  

“OT is absolutely worth protecting, not just from the point of view that because it supports critical national infrastructure — the systems that we rely on to run the countries that we live in — but also because, at the end of the day, it’s going to affect your bottom line,” Masson said. “If you’re a company, you’re there to make profits and provide salaries and wages and dividends for everybody. If you’re not any good at this, this isn’t going to work for you, and your share prices can drop. Your customers can walk away, and that’s probably the biggest issue is when customers walk away from it. So there’s an incentive not just for doing the right thing for the country but for doing the right thing for the organization to actually start protecting your OT.”

Major manufacturing plants also tend to run 24/7, so any time lost can create problems all the way down the supply chain and put companies behind the eight ball. Simply stated, when production stops, the cash register turns off. And companies don’t like to lose their ability to make money.

“As soon as production shuts down, that’s it. You’re effectively stopped,” Masson said. “In one of the cases you mentioned there, particularly the JBS one, that is pretty much critical national infrastructure, because you’re actually talking about the food supply chain, and you can’t get more critical than that.

“They had to stop production, and the reasons for stopping production is because they were obviously frightened that the attack on their IT could jump across to their OT. And they were wanting to make absolutely sure that we can bring OT back online again, so they’re going to shut their OT down in the correct manner because they know they can then bring it back up again in the correct manner. But if malware gets onto it from the IT side, then there’s a chance they’ll never be able to shut it down properly, and they’ll never be able to bring it back up again properly. So the result is a decision driven by fear.”

Ransomware doesn’t appear to going away anytime soon, as bad actors leverage expanding connectivity, emerging technologies, lapses in corporate security and increasing ease of access to produce bigger and bolder criminal acts. The SolarWinds and Kaseya cyberattacks both showed how hackers can use the supply chain to strike multiple companies from a single entry point. Ransomware gang REvil asked for $70 million to publish a “universal decryptor” after the Kaseya attack that infected systems around the world on the July Fourth holiday weekend.





Keep your finger on the pulse of top industry news