A ransomware attack relies on the victim coming to the decision that paying the ransom is a better option then taking the time to unlock the files with the help of a security firm or a government agency. Depending on the sensitivity and importance of the ransomed data, this may be an easy judgement call. However, in many cases companies will delay paying the ransom as they work to unlock their files, especially if they believe that the attacker has been unable to extract anything damaging from the compromised systems.
The group behind the Ragnar Locker malware found themselves in a situation where one of their targets, Campari Group, wasn’t paying the ransom. Campari Group had acknowledged that their systems had been hit by a malware attack and were being dealt with, but they had not offered details about the damage caused by the attack. The Ragnar group decided to increase the pressure on Campari by taking out Facebook ads using the information they had extracted from the Campari servers, which included the login details of individuals.
This allowed the Ragnar group to make it clear they had extracted at least some personal data, increasing the pressure on Campari to pay. There are even new reports that Ragnar group is using call centers in India to call individuals whose data has been hacked. This represents a shift in the ransomware paradigm, where the attacker usually attempts to stick to the shadows when pursuing their victim.