An Apparent Ransomware Hack Puts the NRA in a Bind

The Russian ransomware group Grief posted Wednesday a sample data it claimed was stolen by the National Rifle Association. Ransomware can be a painful problem in any circumstance. Grief is even more complicated because it is linked to the Evil Corp gang. The group has been under US Treasury sanctions since December 2019. You could be subject to serious penalties even if Grief is paid off.
The US government has become more aggressive in imposing sanctions against cybercriminal organizations. In recent months, the White House suggested that other ransomware operators may soon be blacklisted. These efforts are shaping ransomware victims and ransomware actors alike as they increase.

Researchers claim that the documents stolen by the NRA include materials related to grant applications and letters of endorsement. They also contain minutes from a meeting of the NRA. The NRA has not confirmed or denied the attack. They add that ransomware was apparently used to attack the NRA's email systems late last week or this weekend.

Grief took the NRA posting off its dark web site on Friday. Emsisoft threat analyst Brett Callow warns against reading too much into this development. While delistings may indicate that payment was made, it could also mean that the group entered into negotiations with victims. In this case, the victims might be paying for time to investigate the situation and develop a plan. If the incident draws too much attention from law enforcement, attackers will sometimes abandon an attempt at extortion.

Perhaps even more interesting is Grief, which many researchers believe is only one of many Evil Corp fronts. Researchers believe that Grief may be a spinoff of Evil Corp, given the complexity of ransomware actors' malware. To find links, analysts examine the infrastructure and methods of attackers, including indicators such as encryption file format or distribution mechanisms. Grief shares technical similarities with other Evil Corp-linked entities such as DoppelPaymer and uses Dridex botnethistorically Evil Corp’s signature product.

Callow says that Grief has been slowly but steadily operating for some time. Evil Corp has been seen circulating through brands to trick companies into paying. They don't realize they are dealing with sanctioned entities. Or maybe to give them plausible deniability.

Experts in ransomware say that the sanctions have not stopped Evil Corp's ability to attack targets and get paid. They do appear to have had an impact on the group's operations. This has forced hackers to incorporate sanctions into their presentation and communication to victims.

It's quite interesting. It's not common to see ransomware actors pretending they are other groups. This is because you want to ensure you get paid. Allan Liska, analyst at Recorded Future, said that it is unusual to see ransomware actors pretending they are other groups. You know that you have been affected by Lockbit or Conti if you've been hit. That would indicate a change of behavior due to the sanctions, I believe. Evil Corp is tied to DoppelPaymer, Grief and other ransomware groups and strains.