An Obvious Ransomware Hack Puts the NRA in a Bind
On Wednesday, the Russia’s ransomware group Grief posted a sample of data it claimed was stolen from the National Rifle Association. Dealing with ransomware a pain in any condition. But Grief presents more complications, because the group is connected to famous Evil Corp gang, which has been subject to U.S. Treasury sanctions since December 2019. Even if you decide on payment Unfortunately, you could face serious penalties.
The U.S. government has become increasingly aggressive about imposing penalties on cybercriminal groups, and in recent months the White House has announced that other ransomware actors may be blacklisted soon. And as these efforts progress, they shape the methods of actors and victims of ransomware.
The NRA did not confirm the attack or the validity of the allegedly stolen documents, which the researcher said included materials related to grant applications, letters of political endorsement, and obvious minutes from a recent NRA meeting. It appears, they added, that the NRA was hit by ransomware late last week or over the weekend, lining up the reports that the organization’s email systems are gone.
On Friday, Sadness removed the NRA’s posting from its obscure web site. Brett Callow, threat analyst at antivirus company Emsisoft, warns against over -reading that development. Delistings may indicate that compensation has occurred, but may also mean that the group has entered into negotiations with the victims, who in turn may purchase time to investigate the situation and develop a response plan. Sometimes attackers also abandon attempted extortion when the incident has garnered a lot of attention from law enforcement.
More interesting, perhaps, is Grief itself, which is agreed by most researchers to be just one of many fronts for Evil Corp. Given the murky web of ransomware actors and their malware, some researchers believe Grief is a spinoff group rather than Evil Corp itself. Analysts looked at attackers ’methods and infrastructure, including indicators such as file encryption format and distribution mechanisms, to identify links. In the case of Sadness, the group has technical similarities to other Evil Corp-linked entities such as DoppelPaymer, and uses the Dridex botnet — Evil Corp’s historical signature product.
“Grief has been going on slowly and steadily over a period of time,” Callow said. “What we saw was Evil Corp cycling different brands to deceive payment companies, unaware that they were dealing with an authorized entity, or perhaps to give them credible denial.”
Ransomware experts have noted that the penalties do not prevent Evil Corp from attacking targets and getting paid. But they seem to have affected the group’s operations, forcing hackers to impose penalties on how they present themselves and what they inform victims.
“It’s interesting, we don’t always see ransomware actors pretending to be other groups, because you want to make sure you get paid,” said Allan Liska, an analyst for security firm Recorded Future . “If you’ve been hit by Conti or Lockbit you know you’ve been hit by Conti or Lockbit. So I think that signifies a change in behavior because of penalties. DoppelPaymer, Sadness, and many other ransomware are strains and groups tied to Evil Corp.