A Hacking Group Claims to be Holding the NRA to Ransom

Government sanctions could force the organization to choose between paying the hackers or facing the wrath of the US treasury
Aaron Drapkin

Russian-based hacking group Grief posted confidential files belonging to the National Rifle Association on the dark web last week. The criminal organization has threatened to release further stolen documents if its financial demands are not met. 

Government-enforced sanctions relating to paying hacking groups ransoms have effectively put the National Rifle Association in a catch 22 – if it parts with any cash, it could face serious penalties from the US Treasury. 

The NRA is the latest in a long line of US organizations to experience a ransomware attack since the beginning of the Covid-19 pandemic, a sign that it’s now more important than ever for businesses to invest in cybersecurity software and other data protection products.

The NRA’s Ransomware Hack: What We Know

The ransomware attack was reportedly launched by a hacking group called Grief. Based in Russia, members of the group posted 13 files online that it claimed contained stolen, confidential NRA data. 

Reports suggest the files include minutes from a recent NRA meeting, letters of endorsement from political figures, and information regarding grant applications. 

Although the National Rifle Association itself has not directly confirmed that the attack took place, The gun-rights advocacy group’s Managing Director of Public Affairs took to Twitter last week to say:

“NRA does not discuss matters relating to its physical or electronic security. However, the NRA takes extraordinary measures to protect information regarding its members, donors, and operations – and is vigilant in doing so” – Andrew Arulanandam, Managing Director of Public Affairs.

Grief itself has no history of ‘faking’ attacks or claiming responsibility for ransomware campaigns that it didn’t orchestrate. The NRA’s emailing system was down for a significant period of time last week too, something that often happens to companies experiencing ransomware attacks.

The post on the dark web that allegedly contained the files stolen from the NRA has since been taken down. This could mean any number of things, however – it could be as a signal that the ransom has been paid, but equally, it could mean negotiations are only just starting. 

A Grief History Of Evil Corp.

Cybersecurity experts have been quick to point out the connection between Grief, the culprits behind this attack on the NRA, and Evil Corp., a hacking group responsible for several high-profile ransomware attacks in recent years. 

Colonial Pipeline – the largest pipeline system for oil refined products in the United States – was forced to pay $5m to Evil Corp. last year. Technology company Garmin was also forced to pay up after it was hit by an Evil Corp. ransomware attack in 2020

Some believe the two entities to be identical – the same actors under a different name – whereas others have suggested Grief could be a spinoff or splinter group that has heavy ties with Evil Corp. The perceived association has arisen from the fact that Grief uses Dridex malware to steal information, which could be described as Evil Corp’s calling card. The group’s behavior has also drawn comparisons to DoppelPaymer, another hacking entity linked to Evil Corp. 

Do Sanctions Await the NRA?

If Grief is indeed the same entity just operating under a different name, the group’s rebranding might be a reaction to the sanctions imposed by the US government in 2019, which states that U.S. persons are “generally prohibited from engaging in transactions with them”. 

“What we've seen is Evil Corp cycling through various brands in order to either trick companies into paying, not realizing that they’re dealing with a sanctioned entity, or perhaps to provide them with plausible deniability” Brett Callow, A cybersecurity analyst at Emsisoft, told Wired

The sanctions could prove a problem for the NRA, who may have to get creative if it wants to avoid a fine from the Treasury for attempting to broker a financial agreement with Grief. When Garmin was being held to ransom by Evil Corp., for instance, it was forced to use a middleman to pay its ransom. 

The Rise Of Ransomware & Protecting Your Business

The European Union Agency for Cybersecurity recently released a report covering the threat landscape businesses face online. 

Drawing on data from April 2020 to July 2021, the agency identified ransomware as the ‘prime threat’ to corporations today, citing a 150% rise in attacks of this kind during the research period. 

As most ransomware attacks rely on malware to infect a user’s computer, if you’re a business owner, it’s crucial to invest in reliable antivirus software to protect your assets. Creating a system for backing up data and company work regularly is also now essential, as this may save your skin if you’re being threatened with the prospect of document deletion. 

However, a surprising amount of ransomware attacks in 2021 still rely on brute-forcing techniques – a trial-and-error process of guessing user credentials – which means password managers now have a renewed importance for businesses.

It's unlikely this will be the last time we hear of Grief/Evil Corp. – but whether the NRA bends to the group's demands, particularly in light of existing sanctions, could set the tone for companies responding to ransomware attacks for the foreseeable future.

This article was last updated on:
Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Aaron Drapkin is a Senior Writer at Tech.co. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol three years ago. As a writer, Aaron takes a special interest in VPNs and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, The Week, and Politics.co.uk covering a wide range of topics.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals