Fraud Management & Cybercrime , Governance & Risk Management , Ransomware
NRA Finally Confirms Ransomware Attack From 2021
Attack Details Came to Light in the Organization's FEC FilingThe U.S. National Rifle Association reportedly fell victim to a ransomware attack in October 2021. The NRA did not acknowledge the attack at the time, but a recent Federal Election Commission filing submitted by the organization explaining a financial discrepancy caused by the ransomware attack has forced the NRA to confirm the attack and detail its impact.
See Also: Preparing for New Cybersecurity Reporting Requirements
The @NRA finally admitted they were hit with a ransomware attack back in 2021.
— (@hrbrmstr) March 20, 2022
Turns out it takes more than guns & bad faith arguments to stop cybercriminals. pic.twitter.com/F0RRizNggR
The Impact
The ransomware attack took place on Oct. 20, 2021, at a "sponsoring organization," the NRA says in its FEC filing, which was conducted by its political action committee. In the immediate aftermath of the incident, the NRA confirms that it did not have email or network access, which suggests that the NRA's services must have been disrupted significantly.
The NRA states in the FEC filing, "[At] the time, we were not able to access email or network files. When our information security team brought our network back online, the process was undertaken slowly and carefully, with the end result that we did not have full access to our network and the internet until the second week of November."
What Happened
In October 2021, a Russian cybercriminal gang known as Grief reportedly posted 13 files belonging to the NRA as a sample of the entire data set, which the gang claimed to possess. This data was posted on Grief's website, and the cybercriminals warned of leaking additional data if an undisclosed ransom was not paid.
The NRA, at the time, did not respond to Information Security Media Group's request for comment. But Andrew Arulanandam, managing director of public affairs for the NRA, said on Twitter: "NRA does not discuss matters relating to its physical or electronic security. However, the NRA takes extraordinary measures to protect information regarding its members, donors, and operations - and is vigilant in doing so."
Why Did NRA Acknowledge the Attack Now?
According to the FEC filing, during the network restoration process that the NRA's information security team undertook, one batch of credit card receipts from the NRA's donors was not processed correctly into the database since the email and network services were barely operational.
This resulted in inadequate filing of nearly $2,500 worth of donor funds for November 2021. "This batch, which was discovered during our year-end close, totaled $2,485.66 and included 83 individual transactions. It is being disclosed on the November 2021 Monthly Report as an additional $1,609.66 on Line 11(a)(i) and an additional $876.00 on Line 11(a)(ii)," the NRA says in the FEC filing.
Thus, to file an amendment to the November and December 2021 Monthly Report, as well as the subsequent changes in the 2021 Year-End and February 2022 Monthly Reports, and to disclose an additional $2,485.66 in credit card contributions received in the month of October 2021, the NRA had to give a complete explanation to the FEC. And that's why the NRA had to acknowledge the October 2021 incident.
More About Grief
Grief ransomware is considered to be a rebrand of the now-famous ransomware-as-a-service provider DoppelPaymer, which is known to be operated by the Evil Corp group (see: Ransomware Changes: DoppelPaymer Rebrands; Babuk Evolves)
The operation appears to have been rebranded by its operators in May 2021, in an attempt to avoid sanctions imposed on the crime group in December 2019 by the U.S. Treasury Department’s Office of Foreign Assets Control.
Like DoppelPaymer, Grief is a ransomware-as-a-service operation, meaning it uses a business model in which operators develop crypto-locking malware that affiliates can use to infect victims and then split the profits in a predetermined percentage. Brett Stone-Gross, director of threat intelligence at cloud security firm Zscaler, says in a blog post that the only notable change between the two operations is that DoppelPaymer operators used to demand payments in bitcoins, while Grief now asks its victims to pay in monero because the FBI was able to successfully recover some of the bitcoins Colonial Pipeline paid to DarkSide.
Another tactical innovation of the Grief ransomware gang is threatening to wipe a victim's data and decryption key if the victim engages a ransom negotiator to communicate with the gang, according to Brett Callow, a threat analyst with Emsisoft (see: Is Grief's Threat to Wipe Decryption Key Believable?).
The Grief gang are threatening to immediately destroy data should their victims call in negotiators.pic.twitter.com/31Vsup3ioB
— Brett Callow (@BrettCallow) September 14, 2021
"If a gang tells you not to seek outside help, it's because it's in their best interests that you don't. And, of course, their best interests are the exact opposite of your best interests. So ignore their threats and get help. Call in incident response professionals and call in law enforcement," Callow said in September 2021.