The NRA hit by ransomware

The American firearms promotion association NRA (National Rifle Association) suffered a ransomware cyberattack. Data was stolen, including 13 documents released by the cybergang Grief, which is behind this malicious action. Files posted online include minutes of a recent NRA board meeting as well as member tax forms and grant documents. A ransom was demanded, without specifying the amount. “The NRA does not discuss matters relating to its physical or electronic security. However, the NRA takes extraordinary measures to protect information about its members, donors and operations and is vigilant in doing so,” said Andrew Arulanandam, the association’s general manager of public affairs.

However, the possibility of data recovery seems very slim. “A gun won’t help. Even if the NRA pays the ransom, there is no guarantee that Grief will destroy the stolen data,” warns Paul Bischoff, chief privacy officer at Comparitech. “The inclusion of tax forms is of particular concern because cybercriminals can use them to commit tax fraud. Be sure to file your taxes early and make sure no one else files them on your behalf. Grief has led several attacks in the United States against targets in government, health, and education.

A very possible link to the Russian cybergang Evil Corp

Formerly known as DoppelPaymer, Grief is far from being at his first attempt and has already hooked many prey on his list, including schools and local governments (Alabama, Indiana, New York, Mississippi , Texas…). But also companies like Kia Motors America, Endemol, the Mexican oil company Pemex, a Foxconn factory…

Grief is a cyber gang that has specialized in file encryption and data theft and is believed to be linked to another well-known Russian malicious actor, Evil Corp and its Dridex malware. If so, the NRA may well be limited in its choices to extricate itself from this situation. Because the Treasury Department took action against Evil Corp in 2019 and has since forced victim organizations and companies to seek permission before paying any ransom. These rules were put in place after the cyberattack against Garmin by the WastedLocker ransomware, a priori also related to Evil Corp.