Industrial Cybersecurity Pulse
  • SUBSCRIBE
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Resources
  • Helpful Links
  • Editorial Calendar
  • Advertise
  • Contribute
  • Content Partners
  • Contact Us
  • Privacy Policy
  • Terms and Conditions
SUBSCRIBE
  • Resources
  • Helpful Links
  • Editorial Calendar
  • Advertise
  • Contribute
Industrial Cybersecurity Pulse
Subscribe
Industrial Cybersecurity Pulse
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Threats & Vulnerabilities

Throwback Attack: Ragnar Locker uses social media to extort the Campari Group

  • Gary Cohen
  • July 15, 2021
Courtesy: Deborah Cohen
Courtesy: Deborah Cohen
Total
1
Shares
0
1
0
0

A spate of recent cyberattacks on national critical infrastructure has brought production to a halt in the oil and gas industry, risked dangerous contamination of a water system in Florida, and hindered several local and federal government agencies. But one of the hardest-hit critical infrastructure sectors, as defined by the Cybersecurity and Infrastructure Security Agency (CISA), is food and beverage. In the last year, threat actors have attacked the world’s largest meat processor, JBS, and beverage giant Molson Coors, among others. In November 2020, beverage company Campari Group felt the all too familiar sting of a ransomware attack on its information technology (IT) systems, but this time with a new social media-infused twist.

Major hacks like the one on Campari are generally not done by small, fringe groups — or the stereotype of “one guy sitting in his mom’s basement.” In recent years, ransomware operations have expanded and professionalized, with some criminal gangs using public relations campaigns, issuing press releases and selling “off-the-shelf” ransomware-as-a-service.

The Campari attack was linked to notorious ransomware group Ragnar Locker, which used many time-tested tactics, encrypting Campari’s servers and stealing 2 terabytes of private data. But Ragnar Locker, which came onto the scene in late 2019, also introduced a new innovation, taking out Facebook ads to extort the company for $15 million in Bitcoin and threaten to release the stolen files if Campari refused to pay.

This double extortion tactic — demanding money and threatening to release files — is nothing new for ransomware attackers. The Facebook ads, which let the world know Campari had been hacked and was refusing to pay the ransom to keep its (and possibly their) data secure, had never been tried before.

The Italian corporation, which has been producing liquor and soft drinks since 1860, owns multiple brands — including namesake Campari, Aperol, Grand Marnier, Skyy Vodka and Wild Turkey — that are distributed internationally. On Nov. 3, 2020, Campari released a statement acknowledging a large portion of its IT systems had been taken down as the result of a cyberattack.

“The security and confidentiality of all data is a top priority for us,” the statement read. “Unfortunately, we acknowledge that there has been some data loss: we are still investigating the attack and, in particular, determining to which extent there has been any loss of confidentiality and loss of availability of personal and business data.”

A follow-up statement on Nov. 6 read: “At this stage, we cannot completely exclude that some personal and business data has been taken.”

On Nov. 9, the Ragnar Locker ad campaign, titled Security Breach of Campari Group Network, hit Facebook, countering Campari’s assertion the attack was minor and attempting to shame the megacorporation into paying the ransom.

“This is ridiculous and looks like a big fat lie,” read the ad campaign. “We can confirm that confidential data was stolen and we talking about huge volume of data (sic).”

According to security researcher Brian Krebs, Ragnar Locker used the hacked account of a Chicago DJ to pay for the ads, and the “unauthorized campaign reached approximately 7,150 Facebook users, and generated 770 clicks.” Facebook quickly removed the ads for violating its guidelines prohibiting the promotion of criminal activities, but some experts believe this innovation of threat actors using public advertising and social media to turn the screws on companies is likely to be emulated by other attackers.

The Campari strike was just one in a surge of attacks on the food and beverage sector that has impacted companies such as Mondelez, Arizona Beverages, Wendy’s and MPG Ingredients. One reason food and beverage makers are so attractive to ransomware groups is they can’t afford to shut down production, said David Masson, director of enterprise security at Darktrace.

Digital convergence has linked IT and operational technology (OT) to the extent that even IT-based attacks, like the ones on Mondelez and Molson Coors, tend to force OT systems offline to protect corporate interests. While shutdowns of food and beverage makers can be a matter of national security, they also more immediately impact a company’s bottom line.  

“OT is absolutely worth protecting, not just from the point of view that because it supports critical national infrastructure — the systems that we rely on to run the countries that we live in — but also because, at the end of the day, it’s going to affect your bottom line,” Masson said. “If you’re a company, you’re there to make profits and provide salaries and wages and dividends for everybody. If you’re not any good at this, this isn’t going to work for you, and your share prices can drop. Your customers can walk away, and that’s probably the biggest issue is when customers walk away from it. So there’s an incentive not just for doing the right thing for the country but for doing the right thing for the organization to actually start protecting your OT.”

Major manufacturing plants also tend to run 24/7, so any time lost can create problems all the way down the supply chain and put companies behind the eight ball. Simply stated, when production stops, the cash register turns off. And companies don’t like to lose their ability to make money.

“As soon as production shuts down, that’s it. You’re effectively stopped,” Masson said. “In one of the cases you mentioned there, particularly the JBS one, that is pretty much critical national infrastructure, because you’re actually talking about the food supply chain, and you can’t get more critical than that.

“They had to stop production, and the reasons for stopping production is because they were obviously frightened that the attack on their IT could jump across to their OT. And they were wanting to make absolutely sure that we can bring OT back online again, so they’re going to shut their OT down in the correct manner because they know they can then bring it back up again in the correct manner. But if malware gets onto it from the IT side, then there’s a chance they’ll never be able to shut it down properly, and they’ll never be able to bring it back up again properly. So the result is a decision driven by fear.”

Ransomware doesn’t appear to going away anytime soon, as bad actors leverage expanding connectivity, emerging technologies, lapses in corporate security and increasing ease of access to produce bigger and bolder criminal acts. The SolarWinds and Kaseya cyberattacks both showed how hackers can use the supply chain to strike multiple companies from a single entry point. Ransomware gang REvil asked for $70 million to publish a “universal decryptor” after the Kaseya attack that infected systems around the world on the July Fourth holiday weekend.

 

Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.

Gary Cohen

Gary Cohen is senior editor/product manager at CFE Media.

Related Topics
  • CFE Content
  • Featured
  • news
Previous Article
Image courtesy: Brett Sayles
  • Threats & Vulnerabilities

Making computers more secure

  • Holly Evarts
  • July 14, 2021
Read More
Next Article
  • Threats & Vulnerabilities

U.S. government launches the first one-stop resource to combat ransomware attacks

  • Gary Cohen
  • July 15, 2021
Read More
You May Also Like
Richard Robinson, CEO of Cynalytica Inc.
Read More

Using Machine Learning to Protect OT: Expert Interview Series, Richard Robinson, Cynalytica

Courtesy of: Verve Industrial
Read More

Four benefits of OT endpoint security asset management

Courtesy: CFE Media
Read More

Adapting XDR for OT cybersecurity

Read More

How Conti ransomware took down operational technology

As threat increases, college cybersecurity programs are more in demand
Read More

Dragos YIR report shows rise in threat groups, vulnerabilities and ransomware

Courtesy: CFE Media
Read More

Using defensive deception to prevent IT/OT manufacturing threats

Many wonder where to start when attempting to protect embedded systems in OT cybersecurity? Here are some great places to start.
Read More

How ‘Think Global: Act Local’ can help manage OT security through COVID-19

Read More

How to implement a cybersecurity maturity model for the industrial space

SUBSCRIBE

GET ON THE BEAT

Keep your finger on the pulse of top industry news

SUBSCRIBE TODAY!
VULNERABILITY PULSE
  • Berkeley Internet Name Domain (BIND) - May 19, 2022
  • Mitsubishi Electric - May 19, 2022
  • Apache - May 16, 2022
  • CISA - May 16, 2022
  • Joint Cybersecurity Advisory - May 17, 2022

RECENT NEWS

  • Throwback Attack: Hackers attempt to flood Israeli water supply with chlorine
  • Will CISA recommend securing industrial control systems?
  • How to implement layered industrial cybersecurity in volatile times
  • Throwback Attack: DDoS attacks are born in the Big Ten
  • Improve two-factor authentication system security

EDUCATION BEAT

Introduction to Cybersecurity within Cyber-Physical Systems

Cyber-physical systems serve as the foundation and the invention base of the modern society making them critical to both government and business.

REGISTER NOW!
HACKS & ATTACKS
  • Ron Brash Interview: Expert advice on finding the root of the ransomware problem
  • Throwback Attack: How the modest Bowman Avenue Dam became the target of Iranian hackers
  • Minimizing the REvil impact delivered via Kaseya servers
  • Key takeaways from 2020 ICS-CERT vulnerabilities
Industrial Cybersecurity Pulse

Copyright 2022 CFE Media and Technology.
All rights reserved.


BETA

Version 1.0

  • Content Partners
  • Contact Us
  • Privacy Policy
  • Terms and Conditions

Input your search keywords and press Enter.

By using this website, you agree to our use of cookies. This may include personalization of content and ads, and traffic analytics. Review our Privacy Policy for more information. ACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT