New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Possible NRA Breach Leaked

The Grief ransomware gang claims to have attacked the National Rifle Association (NRA) and released stolen data as proof of the attack. Today, the ransomware gang added the NRA as a new victim on their data leak site while displaying screenshots of Excel spreadsheets containing US tax information and investments amounts. The threat actors also leaked a 2.7 MB archive titled ‘National,’ that appears to contain alleged NRA grant applications. Reporters have contacted the NRA multiple times, including speaking to the NRA’s Director of Communications Amy Hunter, but did not receive any answers regarding the alleged attack. The NRA later published a statement saying they do not comment on physical or electronic security of their organization.

The Grief ransomware gang is believed to be tied to a Russian hacking group known as Evil Corp. Evil Corp has been active since 2009 and has been involved in numerous malicious cyber activities, including the distribution of the Dridex trojan to steal online banking credentials and steal money. The hacking group turned to ransomware in 2017, when they released ransomware known as BitPaymer. BitPaymer later morphed into the DoppelPaymer ransomware operation in 2019. After years of attacking US interests, the US Department of Justice charged members of the Evil Corp for stealing over $100 million and added the hacking group to the Office of Foreign Assets Control (OFAC) sanction list.

Soon after, the US Treasury later warned that ransomware negotiators might face civil penalties for facilitating ransom payments to gangs on the sanction list. Since then, Evil Corp has been routinely releasing new ransomware strains under different names to evade US sanctions. These ransomware families include WastedLocker, Hades, Phoenix CryptoLocker, PayLoadBin, and, more recently, the Macaw Locker. However, their original ransomware, DoppelPaymer, ran for years under the same name until May 2021, when they stopped listing new victims on their data leak site. One month later, the Grief ransomware gang emerged, with security researchers believing to be a rebrand of DoppelPaymer based on code similarities. As Grief is linked to Evil Corp, it is likely that ransomware negotiators will not facilitate ransom payments without the victim first getting approval from the OFAC.

Analyst Notes

As the extent of the breach is not yet known, all organizations that deal with the NRA should be aware that their information could be leaked by the cybercriminals. Leaked information could result in increased targeting by either the Grief ransomware gang or by other cybercriminal groups looking to cash in on the information. Any organizations that do encounter attacks by these criminals should cooperate with local and federal law enforcement agencies as quickly as possible.