A Russian ransomware group known as Grief claims it is gunning for the National Rifle Association (NRA).
Grief, a likely restructuring of U.S. sanctioned group Evil Corp, has been leaking NRA files on the Dark Web, claiming to have breached the association's systems.
Now, Grief says it is holding sensitive information and threatening to publish more unless a ransom is paid.
Grief ransomware gang posts to Dark Web about NRA hack
As of publishing, the NRA is keeping mum about whether its network was compromised. Mum, as in, we're not going to talk about it.
The NRA posted this statement to their official Twitter account:
"NRA does not discuss matters relating to its physical or electronic security. However, the NRA takes extraordinary measures to protect information regarding its members, donors, and operations – and is vigilant in doing so."–Andrew Arulanandam, managing dir., NRA Public Affairs— NRA (@NRA) October 27, 2021
Graham Cluley, a podcast host and cybercrime writer, shared images backing up Grief's claims the NRA was one of the group's ransomware victims.
From an analysis of the files, it appears the ransomware group stole documents related to the NRA grants, including downloading blank grant forms and accessing grant recipient contact information.
In reporting by AP News, a source confirmed "email problems" for the NRA which would not be unusual following a ransomware attack.
Grief and Evil Corp one in the same?
It is possible this is the first you're hearing of the Grief ransomware strain. Security researchers believe the cybercrime group is likely rebranded from the organization Evil Corp, notorious threat actors with a long list of malware casualties.
Brett Callow, Threat Analyst for Emsisoft, told NBC News he believes the group successfully hacked the NRA.
"I'm not aware of any incidents in which Grief/Evil Corp has attempted to take credit for other operations' attacks," he said.
Alec Alvarado, Threat Intelligence Manager for Digital Shadows, recently presented about Evil Corp's rebranding for SecureWorld's Remote Sessions webcast.
"We've seen sanctions placed on Evil Corp, which is a named group that was sanctioned by the U.S. government. They actually decided to operate under a new ransomware group.... But again, it goes to say that ransomware groups aren't necessarily afraid of who they target, they can just go back to the drawing board, rename themselves, and reemerge as a new group that doesn't necessarily apply to us or any law enforcement action."
With ransomware attacks on the rise, the White House has taken action to curb criminal activity, but cybercrime organizations like Evil Corp/Grief are always seeking workarounds.
Motives behind the alleged NRA ransomware attack
Based on what we know, it appears the motivation here is more likely money than hacktivism, however, the NRA has a lot of detractors. So what are the chances this could be connected to a political movement?
Allan Liska, Intelligence Threat Analyst for Recorded Future, weighed in on this:
"It's not likely that this was specifically targeted at the NRA, the NRA just happened to get hit. You never know, though," Liska told AP News.
[RESOURCE] Take a Fresh Look at Ransomware Risk Management: Register to attend SecureWorld Rockies virtual conference, which will feature an opening keynote panel around ransomware defensibility.