On Wednesday, the Russian ransomware group Grief posted a sample of data that it claimed was stolen from the National Rifle Association. Dealing with ransomware is a pain under any circumstances. But Grief presents even more complications, because the group is connected to the notorious Evil Corp gang, which has been subject to US Treasury sanctions since December 2019. Even if you decide to pay Grief off, you could face serious penalties.
The US government has been increasingly aggressive about imposing sanctions on cybercriminal groups, and in recent months the White House has hinted that other ransomware actors may soon be blacklisted. And as these efforts ramp up, they’re shaping the approaches of ransomware actors and victims alike.
The NRA has not confirmed the attack nor the validity of the purported stolen documents, which researcher say include materials related to grant applications, letters of political endorsement, and apparent minutes from a recent NRA meeting. It appears, they add, that the NRA was hit with ransomware late last week or over the weekend, which lines up with reports that the organization’s email systems were down.
On Friday, Grief removed the NRA posting from its dark web site. Brett Callow, a threat analyst at antivirus company Emsisoft, cautions against reading too much into that development. Delistings can indicate that a payment took place, but can also simply mean that the group has entered negotiations with the victims, who in turn may be buying time to investigate the situation and formulate a response plan. Attackers will also occasionally abandon an extortion attempt if the incident is drawing too much attention from law enforcement.
More interesting, perhaps, is Grief itself, which most researchers agree is just one of many fronts for Evil Corp. Given the murky web of ransomware actors and their malware, some researchers believe that Grief is a spinoff group rather than Evil Corp itself. Analysts look at attackers’ methods and infrastructure, including indicators like encryption file format and distribution mechanisms, to uncover links. In the case of Grief, the group has technical similarities to other Evil Corp–linked entities like DoppelPaymer, and uses the Dridex botnet—historically Evil Corp’s signature product.
“Grief has been operating slowly and steadily for some time,” Callow says. “What we’ve seen is Evil Corp cycling through various brands in order to either trick companies into paying, not realizing that they’re dealing with a sanctioned entity, or perhaps to provide them with plausible deniability.”
Ransomware experts note that sanctions have not stopped Evil Corp from attacking targets and getting paid. But they do seem to have impacted the group’s operations, forcing the hackers to factor sanctions into how they present themselves and what they communicate to victims.
“It’s interesting. We don’t often see ransomware actors pretending to be other groups, because you want to make sure you get paid,” says Allan Liska, an analyst for the security firm Recorded Future. “If you’ve been hit by Conti or Lockbit, you know you’ve been hit by Conti or Lockbit. So I think that indicates a change in behavior because of the sanctions. DoppelPaymer, Grief, and several other ransomware strains and groups are tied to Evil Corp.”
303281 69316Following examine a couple of of the weblog posts on your web web site now, and I genuinely like your manner of blogging. I bookmarked it to my bookmark web site record and will probably be checking back soon. Pls take a look at my internet page as effectively and let me know what you believe. 136407
524686 506191I respect your piece of work, appreciate it for all of the fascinating content . 150484
926369 648266Perfectly written subject material , thanks for selective info . 76946
510328 921197Hello, Neat post. Theres an concern together with your internet site in internet explorer, may possibly check this? IE still may be the marketplace leader and a huge component to folks will omit your excellent writing because of this issue. 488366
831171 890521I dont normally take a look at these types of internet sites (Im a pretty modest person) – but even though I was a bit shocked as I was reading, I was surely a bit excited as effectively. Thanks for creating my day 706311
534010 647751You produced some decent points there. I looked on the internet for that dilemma and discovered most people is going together with with the internet internet site. 52423
524194 95577Some genuinely nice stuff on this web site , I enjoy it. 181498
353133 161706My California Weight Loss diet invariably is an cost effective and versatile staying on your diet tv show created for folks who discover themselves planning to drop extra pounds and furthermore ultimately maintain a considerably healthier habits. la weight loss 749937
735576 383617Aw, i thought this was an incredibly great post. In thought I would like to invest writing in this way moreover – taking time and actual effort to manufacture a quite good article but exactly what do I say I procrastinate alot and no means apparently go completed. 108837
209327 440858Most heavy duty trailer hitches are created employing cutting edge computer aided models and fatigue stress testing to ensure optimal strength. Share new discoveries together with your child and keep your child safe by purchasing the correct design for your lifestyle by following the Perfect Stroller Buyers Guideline. 32065
621855 250699You require to join in a contest very first of the finest blogs on the internet. I most surely will suggest this site! 461052
320437 955464Trop excitant de mater des femmes lesbiennes en train de se doigter la chatte pour se faire jouir. En plus sur cette bonne petite vid o porno hard de lesb X les deux jeunes lesbienne sont trop excitantes et super sexy. Des pures beaut de la nature avec des courbes parfaites, les filles c est quand v 711620
439571 11869It is actually a nice and helpful piece of info. Im glad which you just shared this helpful information with us. Please keep us informed like this. Thanks for sharing. 666369
801078 21295Immigration […]the time to read or check out the content or sites we have linked to below the[…] 518220
268956 311542hi!,I like your writing so a lot! share we communicate much more about your article on AOL? I require an expert on this area to solve my difficulty. Possibly thats you! Seeking forward to see you. 186794
219733 167349Taylor Lautner By the way you may want to take a look at this cool internet site I found 361168
986253 659505I truly appreciate this post. Ive been searching all over for this! Thank goodness I identified it on Bing. Youve made my day! Thank you again.. 421746