The Grief ransomware group claims to have hacked the NRA (National Rifle Association) and released stolen data as proof.
The NRA was listed as a new victim on the ransomware gang’s data dump site today, along with pictures of Excel files revealing US tax data and investment amounts.
The threat actors also published a 2.7 MB package called ‘National Grants.zip,’ comprising bogus NRA grant applications.
The NRA later tweeted that they do not comment on their organization’s physical or cybersecurity.
The Grief ransomware gang is said to be linked to Evil Corp, a Russian hacker group. Since 2009, Evil Corp has been involved in various criminal cyber operations, including the spread of the Dridex virus to steal online banking details and money.
In 2017, the hacker gang switched to ransomware, releasing the BitPaymer malware. BitPaymer was later renamed DoppelPaymer in 2019.
The US Dept. of Justice accused members of the Evil Corp of stealing over $100 million and adding the hacking organization to the Office of Foreign Assets Control (OFAC) sanction list after years of assaulting US interests.
Soon after, the US Treasury warned that ransomware negotiators might face civil penalties if they helped groups on the blacklisted list make ransom payments.
To avoid US sanctions, Evil Corp has been spreading new ransomware strains under different identities regularly since then. WastedLocker, Hades, Phoenix CryptoLocker, PayLoadBin, and, more recently, the Macaw Locker are among ransomware families.
However, their initial ransomware, DoppelPaymer, was still active until May 2021, when they ceased adding new victims to their data leak website.
The Grief ransomware group appeared a month later, and security researchers believe it is a rebrand of DoppelPaymer based on code similarities. Because Grief is related to Evil Corp, ransomware negotiators are unlikely to allow ransom payments unless the victim first obtains OFAC certification.