Forget the Dark Web: Ransomware Gangs Weaponize Facebook and Twitter to Pressure Victims
(Written by Jareth, for the Emsisoft blog. Republished with permission from Emsisoft)
The threat of public exposure is a core part of the ransomware playbook. The more eyeballs on an incident, the greater the embarrassment, reputational damage and risk of litigation for the victim – and the higher the chance of a payout for the ransomware gang responsible for the attack.
But not every attack captures the attention of the public. With the news cycle already saturated with cyber attacks, it’s all too easy for run of the mill incidents to get lost in the wash.
Now, in an effort to amplify coverage, some ransomware groups are using social media channels to bring news of their conquests to a wider audience and put more pressure on victims to pay the ransom.
Leak sites don’t make for good publicity
Double extortion has become the standard mode of operation among ransomware gangs. The premise is simple: after successfully exfiltrating data from a target company, a ransomware gang threatens to publish the stolen data unless the victim coughs up the ransom. In this way, threat actors can effectively extort victims twice: once, for the decryption of their scrambled data; and again, for the non-release of the stolen data.
Should a victim refuse to cough up the ransom, the stolen data is usually published on the ransomware gang’s own platform. This typically takes the form of a Tor site, accessible only via the dark web and visited mostly by security researchers and other cybercriminals. As a means of quietly publishing repositories of stolen data, it’s a good, functional solution. But in terms of broadcasting a message to a wide audience – the thing ransomware attackers need to elevate the profile of an attack and boost their chances of a payout – these leak sites are more back-alley soapboxes than bonafide news distribution channels.
In an attempt to bring news of their attacks to the masses, threat actors are now turning to mainstream social media platforms.
Twitter bots create fake buzz about Grief attack on the NRA
In October 2021, The National Rifle Association of America (NRA) was hit with a strain of ransomware known as Grief, one of the many operations attributed to prolific Russian cybercrime group Evil Corp. Threat actors published on the Grief leak site 13 documents that had allegedly been stolen during the attack, including minutes from an NRA board meeting, grant applications and more.Up until this point, the attack had followed a fairly standard sequence of events, as far as ransomware incidents go. However, shortly after Grief announced the details of the attack, some very unusual activity began to take place: all over Twitter, hundreds of accounts began sharing tweets about the attack.
It was clear that the news frenzy wasn’t organic. The accounts sharing the news had all been created in August and September 2021. Most didn’t follow anyone, nor did they have any followers. The majority sported the default Twitter profile photo, while the ones that did have pictures appeared to have been taken from Russian dating sites like Tralolo and Shuri-Muri. All of the accounts were intent on promoting content related to attacks perpetrated by Grief.
This wasn’t the next random viral sensation. This was an orchestrated information operation intended to amplify coverage and elevate a fairly unremarkable attack to headline-worthy status in order to pressure the NRA into paying. It’s likely that Grief was involved with the Twitter campaign, although it remains unclear if Grief owned and operated the Twitter troll network or worked with a third party.
Ragnar Locker uses Facebook ads to promote attack
The Grief Twitter campaign wasn’t the first time threat actors have used social media to increase public awareness of an attack.
In early November 2020, Italian beverage vendor Campari Group experienced significant disruption when its systems were infected with ransomware. A few days later, the company acknowledged the attack in a statement that said “At this stage, we cannot completely exclude that some personal and business data has been taken.”
On 9 November 2020, advertisements began popping up on Facebook that were evidently designed to publicly pressure the Campari Group into paying the ransom. The ad asserted that Campari Group’s statement was “ridiculous and looks like a big fat lie … we can confirm that confidential data was stolen and we talking about huge volume of data.”
The ad claimed that prolific cybercrime group Rangar Locker had exfiltrated two terabytes of information and gave Campari Group until 6 p.m. EST to negotiate payment in exchange for the non-release of the stolen data.
As KrebsOnSecurity discovered, the ads had been funded by Hodson Event Entertainment, an account owned by a Chicago-based DJ whose Facebook account had been hacked. The attackers budgeted $500 for the campaign and reached around 7,150 users before Facebook disabled the ad campaign.
Other groups weaponize Twitter and Tumblr
Not every ransomware group goes to the effort of using Twitter bots and paid ads to promote an attack. Plenty of threat actors, including DoppelPaymer, 54bb47h and Marketo are weaponizing social media in a more straightforward way, using Twitter as a distribution channel to promote their attacks to a mainstream audience. A group known as RobinHood recently started a Tumblr account, where it apparently plans to post the names of its victims and screenshots of pilfered data.
Sometimes, ransomware groups also reach out directly to members of the press via social media, hoping that a journalist will pick up the story and bring more attention to an incident.
Takeaway
It’s easy for ransomware victims to be lethargic when a data leak is confined to an obscure Tor website that the average Joe will never see. It’s a different story when that same stolen sensitive data is being publicly discussed and shared on mainstream social media platforms.Posting sensitive stolen data is, of course, against the terms and conditions of every social media platform. But social media firms aren’t always as quick to deal with reports of abuse as they should be, which enables threat actors to abuse their platforms more effectively.
We may see more threat actors venturing out from the dark web and leveraging social channels as they continue to find creative ways to pressure their victims into paying.
We use and recommend Emsisoft Antimalware. Learn more here