A cybercrime gang claims to have stolen data from the National Rifle Association, a gun rights advocacy organisation in the United States (NRA).
“NRA does not discuss matters relating to its physical or electronic security. However, the NRA takes extraordinary measures to protect information regarding its members, donors, and operations – and is vigilant in doing so.”–Andrew Arulanandam, managing dir., NRA Public Affairs
— NRA (@NRA) October 27, 2021
The NRA claimed it “does not discuss anything relevant to its physical or technological security” in response to the allegations. “We take extreme efforts to protect information about our members, funders, and activities – and we are attentive in doing so,” the organisation said.
The threat actor that claims to have hacked into NRA computers has been profiting from the Grief ransomware. The organisation operates a Tor-based website where they threaten to expose stolen information if a ransom is not paid, in addition to encrypting victims’ files. Cybercriminals appear to have carried through on their threats in some situations.
Tens of files reportedly obtained from the NRA have been made public so far, including financial reports, papers relating to the NRA Foundation’s national grants, and House and Senate endorsement letters for the 2016 elections.
The amount of money the Grief ransomware perpetrators expect to get from the NRA is unknown.
“Ransomware gangs are increasingly using data leaks and extortion as a technique. With increased knowledge and a plethora of protection and backup alternatives to assist businesses in recovering their data following an attack, it’s understandable that attackers would shift their tactics in response,” said Jonathan Tanner, senior security researcher at Barracuda.
“This strategy can lead to customers’ data being revealed, confidentiality being broken, and even public disgrace,” Tanner warned, “whether the corporation may have wished to handle it discreetly or whether stolen documents contain details about less-than-above-board talks or acts.”
The Grief ransomware first appeared in May 2021, and it’s thought to be a rebranding of the DoppelPaymer ransomware. Russia is thought to be the hacker’s base of operations.