The Ragnar Locker ransomware has become somewhat a star among ransomware attackers in the crypto space despite only being discovered this year. In what appears to be its latest high-profile attack, hackers appear to have used it against the Italian alcohol manufacturer Campari.
A Two-Pronged Attack
According to a Bleeping Computer report, a ransomware group managed to use the Ragnar Locker tool to steal about two terabytes’ worth of data from Campari and are now demanding $15 million in Bitcoin for access to the firm’s files.
As the report explained, the attack was discovered on November 1. The hackers used a virus to infect Campari’s computers and steal the drink maker’s sensitive data. The attackers reportedly took a treasure trove of data, including documents, bank statements, financial data, contracts with partners and ambassadors, and other critical correspondence. In a ransom note, the attackers confirmed that they had stolen the data and demanded a $15 million ransom in exclusive Bitcoin payments.
The Italian company acted swiftly, shutting down its IT services in the wake of the attack to prevent further damage. In a statement on the attack, the Italian manufacturer said:
“The company has implemented a temporary suspension of IT services, as some systems have been isolated in order to allow their sanitization and progressive restart in safety conditions for a timely restoration of ordinary operations.”
Bleeping Computer added that the attackers went further, buying up ads on Facebook to refute Campari’s claims that only a few personal and business data was stolen. As the ads explained, the attacker’s data haul included a substantial amount of data. Security researcher Brian Krebs confirmed that the ad had reached over 7,000 Facebook users before the social media giant’s security measures took it down for being malicious.
Big bucks for Ragnar Locker Hackers
The attackers have so far kept to Ragnar Locker’s mode of operation, which primarily includes seeking out large sums of money in ransom payments. The first report on the ransomware came earlier this year, with British security firm Sophos explaining that attackers had used it to break into the network of Energias de Portugal, a Lisbon-based energy and utility company.
As the report noted, the attackers in that operation stole ten terabytes worth of data, asking for 1,860 BTC – about $11 million at the time – in ransoms.
Then, in August, Reuters reported that travel management agency CWT paid 414 BTC – worth $4.5 million – in ransoms to attackers who used this same ransomware on them.
Reuters explained that the attackers had deployed the ransomware onto 30,000 computers on CWT’s network, stealing an unspecified amount of data. While the hackers initially demanded $10 million in ransom payments, a CWT official asked managed to get through to them and plead on the company’s behalf, claiming that it had suffered significant losses due to the pandemic.
They eventually settled for a $4.5 million ransom payment, which CWT paid in two separate transactions.