Cybercrime , Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks
NRA Reportedly Hit By Russia-Linked Ransomware Attack
Security Experts: 'Grief' Ransomware Gang Leaks Alleged NRA Data on DarknetThe National Rifle Association has reportedly fallen victim to a ransomware attack at the hands of a Russian cybercriminal gang known as Grief. The group has reportedly posted 13 files to its website after claiming to have hacked the gun rights advocacy group.
See Also: Live Webinar | Active Directory Under Attack: How to Build a Resilient Enterprise
According to NBC News, the data leak to the gang's darknet site appears to be an effort to get the organization - one of the most influential advocacy groups in Washington, D.C. - to pay a ransom, the amount of which is currently unknown.
The group has also reportedly threatened to release additional files if it is not paid the undisclosed sum.
Cybersecurity experts believe the gang is a rebrand of a group formerly known as Evil Corp, which had been sanctioned by the U.S. Treasury Department, meaning its victims may be fined if they choose to pay the group a ransom.
Multiple reports have connected Evil Corp to the ransomware attack that struck the broadcasting giant Sinclair Broadcast Group last week - an incident that disrupted some news broadcasts nationwide (see: Sinclair TV Stations Targeted in Weekend Ransomware Attack).
The NRA did not immediately respond to Information Security Media Group's request for comment. But Andrew Arulanandam, managing director of public affairs for the NRA, took to Twitter to say: "NRA does not discuss matters relating to its physical or electronic security. However, the NRA takes extraordinary measures to protect information regarding its members, donors, and operations - and is vigilant in doing so."
Allan Liska, a ransomware analyst at the cybersecurity firm Recorded Future, told NBC that Grief is "the same group" as Evil Corp. The news outlet verified that the information in the leaked files includes grant proposal forms, names of recent grant recipients, an email sent to a grant winner, a federal W-9 form and minutes from the organization's virtual meeting in September.
Sam Curry, CSO of Cybereason, tells ISMG, "It's unlikely this is a strategic attack, but time will tell. The way it would be strategic is to further divide the left from the right in the U.S. … The most likely scenario is that it's motivated by greed, and it has the potential to inadvertently explode politically. The next move is in the NRA's hands."
Mark Bowling, a former assistant special agent in charge for the FBI, tells ISMG, "[This] is the latest reminder that the new class of ransomware is adept at evading or disabling traditional security controls. Catching it when files are already being encrypted is too late."
Grief's Tactics
Evil Corp was previously sanctioned for using malware to infect computers and harvesting login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft, according to the U.S. Department of the Treasury. The Treasury Department suggested in late 2019 that the group's malicious software "has caused millions of dollars of damage to U.S. and international financial institutions and their customers."
A recent Cybereason blog post, which connects the Grief gang to Evil Corp, says Grief has previously issued memos "notifying victims that bad things will happen if law enforcement, data recovery experts, or professional negotiators are contacted.
"Basically, if the victim does not keep things strictly between them and the threat actors, the ransomware gangs will just leak or destroy their data. That is quadruple extortion," the firm wrote.
Emsisoft threat analyst Brett Callow says on Twitter: "Several types of ransomware share code both with each other and with Dridex: Grief, DoppelPaymer, WastedLocker, Macaw, etc. … Grief et al are all deployed via Dridex, they all use the same custom obfuscator as Dridex - an obfuscator which isn’t used by any other malware families - and they all have near-identical decryptors.
"This indicates that Grief was very probably created by the same team that created Dridex: and the U.S. Treasury says that's Evil Corp. … The Treasury also says that Evil Corp is headed-up by a character named Maksim Yakubets who's worked for the FSB [Russia's Federal Security Service], including on projects intended to 'acquire confidential documents through cyber-enabled means.'"
The FSB is the nation's principal security agency and the main successor to the Soviet Union's KGB.
"NRA members should take steps to protect themselves from any repercussions that might arise as a result of this breach. Hint: A gun won't help. Even if the NRA pays the ransom, there is no guarantee that Grief will destroy the stolen data," says Paul Bischoff, a privacy advocate for the cybersecurity and privacy platform Comparitech.
Ransomware Surge
There has been a wave of high-profile ransomware attacks in 2021, including those hitting Colonial Pipeline and temporarily halting the East Coast's fuel supply; meat producer JBS USA; and Kaseya, which provides IT software to managed service providers - an attack that affected some 1,500 downstream organizations.
In addition to a sweeping cybersecurity executive order issued in May to holistically modernize federal networks, the U.S. convened a bilateral summit between President Joe Biden and Russian President Vladimir Putin in June to urge the latter to crack down on illicit cyber activity conducted from Russian soil. Biden reportedly outlined 16 critical infrastructure sectors that are off-limits and said that if Putin declined to act, the U.S. reserved the right to do so.
Last week, a coordinated law enforcement effort involving the U.S. and foreign partners reportedly disrupted the REvil ransomware gang's operation (see: REvil Revelations: Law Enforcement Behind Disruptions).
Tom Kellermann, head of cybersecurity strategy for VMWare and also a cybercrime investigations adviser to the U.S. Secret Service, told Reuters that the FBI, in conjunction with Cyber Command, the Secret Service and "like-minded countries, have truly engaged in significant disruptive actions against these groups. REvil was top of the list."
Cybereason's Curry adds, "State-ignored ransomware gangs and cartels are not a uniquely Russian thing, but there is no denying that it is a burgeoning industry in Russia. Giving a safe haven to criminals has a way of pulling more in - whether Russian or not."
"[And] not only [are private organizations] more likely to pay [these gangs] to prevent data and information from making their way into the [public, but] they don't have the same oversight that either a publicly traded, shareholder-owned corporation would or a company that is regulated as critical infrastructure," says Bowling, who currently serves as vice president of security response services at the firm ExtraHop.