An Apparent Ransomware Hack Puts the NRA in a Bind

An Apparent Ransomware Hack Puts the NRA in a Bind 1
The group behind the reported attack is under sanctions from the US Treasury, which means a payout could come with penalties for the victim.

On Wednesday, the Russian ransomware group Grief posted a sample of data that it claimed was stolen from the National Rifle Association. Dealing with ransomware is a pain under any circumstances. But Grief presents even more complications, because the group is connected to the notorious Evil Corp gang, which has been subject to US Treasury sanctions since December 2019. Even if you decide to pay Grief off, you could face serious penalties. 

The US government has been increasingly aggressive about imposing sanctions on cybercriminal groups, and in recent months the White House has hinted that other ransomware actors may soon be blacklisted. And as these efforts ramp up, they’re shaping the approaches of ransomware actors and victims alike.

The NRA has not confirmed the attack nor the validity of the purported stolen documents, which researcher say include materials related to grant applications, letters of political endorsement, and apparent minutes from a recent NRA meeting. It appears, they add, that the NRA was hit with ransomware late last week or over the weekend, which lines up with reports that the organization’s email systems were down.

On Friday, Grief removed the NRA posting from its dark web site. Brett Callow, a threat analyst at antivirus company Emsisoft, cautions against reading too much into that development. Delistings can indicate that a payment took place, but can also simply mean that the group has entered negotiations with the victims, who in turn may be buying time to investigate the situation and formulate a response plan. Attackers will also occasionally abandon an extortion attempt if the incident is drawing too much attention from law enforcement.

More interesting, perhaps, is Grief itself, which most researchers agree is just one of many fronts for Evil Corp. Given the murky web of ransomware actors and their malware, some researchers believe that Grief is a spinoff group rather than Evil Corp itself. Analysts look at attackers’ methods and infrastructure, including indicators like encryption file format and distribution mechanisms, to uncover links. In the case of Grief, the group has technical similarities to other Evil Corp–linked entities like DoppelPaymer, and uses the Dridex botnet—historically Evil Corp’s signature product.

“Grief has been operating slowly and steadily for some time,” Callow says. “What we’ve seen is Evil Corp cycling through various brands in order to either trick companies into paying, not realizing that they’re dealing with a sanctioned entity, or perhaps to provide them with plausible deniability.”

Ransomware experts note that sanctions have not stopped Evil Corp from attacking targets and getting paid. But they do seem to have impacted the group’s operations, forcing the hackers to factor sanctions into how they present themselves and what they communicate to victims. 

“It’s interesting. We don’t often see ransomware actors pretending to be other groups, because you want to make sure you get paid,” says Allan Liska, an analyst for the security firm Recorded Future. “If you’ve been hit by Conti or Lockbit, you know you’ve been hit by Conti or Lockbit. So I think that indicates a change in behavior because of the sanctions. DoppelPaymer, Grief, and several other ransomware strains and groups are tied to Evil Corp.”

Grief and other ransomware groups have also increasingly warned victims not to notify law enforcement about attacks or engage incident response firms. Attempts to keep targets isolated are aimed at making them feel as desperate and uncertain as possible. And for sanctioned entities like Evil Corp, these warnings are also likely intended to keep victims from hearing advice about the potential consequences of paying.

“NRA does not discuss matters relating to its physical or electronic security,” NRA public affairs managing director Andrew Arulanandam said in a tweet on Wednesday. “However, the NRA takes extraordinary measures to protect information regarding its members, donors, and operations—and is vigilant in doing so.”

The NRA did not return a request for comment on Friday asking whether the organization paid a ransom or is negotiating with Grief.

In an updated advisory at the end of September, the Treasury’s Office of Foreign Assets Control emphasized that even plausible deniability isn’t enough when it comes to paying off marked cybercriminals.

“OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to US jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions laws,” the agency says.

OFAC goes on, though, to say that some “mitigating factors” can result in lenience for certain victims who make a banned ransom payment, namely significant prior investment in cybersecurity defenses and cooperation with law enforcement immediately following an attack. OFAC says it sometimes takes nonpublic actions against violators, like issuing a “No Action Letter” or “Cautionary Letter” rather than publicly imposing fines or other civil penalties.

Sanctions are just one of a host of factors that ransomware victims need to consider. And they put prominent victims like the NRA in a particularly tight spot. But that’s also why those sanctions exist: to incentivize disclosure so that law enforcement can get involved directly as early as possible. Which may help crack down on attacks in the long run, but doesn’t help disentangle things for victims who would rather move on as quickly and painlessly as possible.

“Sanctions are certainly impacting the behavior of the ransomware groups,” Emsisoft’s Callow says. “How much they are impacting the victims, I don’t know.”


More Great WIRED Stories