The Ragnar Locker ransomware gang has been making regular headlines for its ransomware attacks on multiple companies in recent months, but in a new twist, the group has taken to advertising on social media to pressure one of its victims into paying.

The victim in this case is Italian drinks maker Davide Campari-Milano S.p.A., best known simply as Campari, which was targeted in a Ragnar Locker ransomware attack Nov. 2.

First reported today by Krebs on Security, the Ragnar Locker gang has started using Facebook Inc. accounts to run ads to pressure Campari publicly into paying its demanded ransom.

Campari had said in a statement Nov. 6 that “at this stage, we cannot completely exclude that some personal and business data has been taken,” a claim directly addressed in the Facebook ads.

The Ragnar Locker gang says in its ad that “this is ridiculous and looks like a big fat lie… we can confirm that confidential data was stolen and we talking about huge volume of data.” The ad went on to say that it had stolen 2 terabytes of data and that Campari had until 6 p.m. EST today to negotiate a payment for a promise not to release the stolen data.

The Facebook account used for the ad belonged to Hodson Event Entertainment. The company’s founder said the account had been hacked and that the ransomware gang had budgeted $500 for the campaign. Notably, the company founder said that he thought he had two-factor authentication turned on for all of his accounts, but he didn’t for his Facebook account.

“Cybercrime groups will use any and all options available to them to extract whatever money they can from their victims,” Chris Clements, vice president of solutions architecture at the information technology service management company Cerberus Cyber Sentinel Corp., told SiliconANGLE. “The use of compromised Facebook user accounts to buy add campaigns to further harass their victims is novel, but not at all out of character.”

What it shows, he said, is that every online user is vulnerable to compromise and false financial charges should their social media accounts be compromised and used to purchase ad campaigns. “Users should ensure that two-factor authentication is enabled on all of their online accounts and that they do not reuse the same password across different websites or mobile applications,” he said.

Image: Ragnar Locker/Twitter