Fraud Management & Cybercrime , Governance & Risk Management , Ransomware

NRA Finally Confirms Ransomware Attack From 2021

Attack Details Came to Light in the Organization's FEC Filing
NRA Finally Confirms Ransomware Attack From 2021
Attack details emerge as the NRA explains a financial discrepancy. (Photo: Grégoire Breault via Flickr)

The U.S. National Rifle Association reportedly fell victim to a ransomware attack in October 2021. The NRA did not acknowledge the attack at the time, but a recent Federal Election Commission filing submitted by the organization explaining a financial discrepancy caused by the ransomware attack has forced the NRA to confirm the attack and detail its impact.

See Also: OnDemand | Defining a Detection & Response Strategy

The Impact

The ransomware attack took place on Oct. 20, 2021, at a "sponsoring organization," the NRA says in its FEC filing, which was conducted by its political action committee. In the immediate aftermath of the incident, the NRA confirms that it did not have email or network access, which suggests that the NRA's services must have been disrupted significantly.

The NRA states in the FEC filing, "[At] the time, we were not able to access email or network files. When our information security team brought our network back online, the process was undertaken slowly and carefully, with the end result that we did not have full access to our network and the internet until the second week of November."

What Happened

In October 2021, a Russian cybercriminal gang known as Grief reportedly posted 13 files belonging to the NRA as a sample of the entire data set, which the gang claimed to possess. This data was posted on Grief's website, and the cybercriminals warned of leaking additional data if an undisclosed ransom was not paid.

The NRA, at the time, did not respond to Information Security Media Group's request for comment. But Andrew Arulanandam, managing director of public affairs for the NRA, said on Twitter: "NRA does not discuss matters relating to its physical or electronic security. However, the NRA takes extraordinary measures to protect information regarding its members, donors, and operations - and is vigilant in doing so."

Why Did NRA Acknowledge the Attack Now?

According to the FEC filing, during the network restoration process that the NRA's information security team undertook, one batch of credit card receipts from the NRA's donors was not processed correctly into the database since the email and network services were barely operational.

This resulted in inadequate filing of nearly $2,500 worth of donor funds for November 2021. "This batch, which was discovered during our year-end close, totaled $2,485.66 and included 83 individual transactions. It is being disclosed on the November 2021 Monthly Report as an additional $1,609.66 on Line 11(a)(i) and an additional $876.00 on Line 11(a)(ii)," the NRA says in the FEC filing.

Thus, to file an amendment to the November and December 2021 Monthly Report, as well as the subsequent changes in the 2021 Year-End and February 2022 Monthly Reports, and to disclose an additional $2,485.66 in credit card contributions received in the month of October 2021, the NRA had to give a complete explanation to the FEC. And that's why the NRA had to acknowledge the October 2021 incident.

More About Grief

Grief ransomware is considered to be a rebrand of the now-famous ransomware-as-a-service provider DoppelPaymer, which is known to be operated by the Evil Corp group (see: Ransomware Changes: DoppelPaymer Rebrands; Babuk Evolves)

The operation appears to have been rebranded by its operators in May 2021, in an attempt to avoid sanctions imposed on the crime group in December 2019 by the U.S. Treasury Department’s Office of Foreign Assets Control.

Like DoppelPaymer, Grief is a ransomware-as-a-service operation, meaning it uses a business model in which operators develop crypto-locking malware that affiliates can use to infect victims and then split the profits in a predetermined percentage. Brett Stone-Gross, director of threat intelligence at cloud security firm Zscaler, says in a blog post that the only notable change between the two operations is that DoppelPaymer operators used to demand payments in bitcoins, while Grief now asks its victims to pay in monero because the FBI was able to successfully recover some of the bitcoins Colonial Pipeline paid to DarkSide.

Another tactical innovation of the Grief ransomware gang is threatening to wipe a victim's data and decryption key if the victim engages a ransom negotiator to communicate with the gang, according to Brett Callow, a threat analyst with Emsisoft (see: Is Grief's Threat to Wipe Decryption Key Believable?).

"If a gang tells you not to seek outside help, it's because it's in their best interests that you don't. And, of course, their best interests are the exact opposite of your best interests. So ignore their threats and get help. Call in incident response professionals and call in law enforcement," Callow said in September 2021.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.