Grief, a ransomware group with ties to Russia-based Evil Corp, claims to have stolen data from the gun-rights group and has posted files on its dark web site. A ransomware group tied to Russia claims to have stolen data from the National Rifle Association (NRA) in a ransomware attack on the controversial gun-rights group, which has declined to comment on the situation.
The Grief ransomware gang listed the NRA as a victim of its nefarious activity on its data-leak site. Brett Callow, a threat analyst with cybersecurity firm Emsisoft, posted a screenshot of Grief’s post on his Twitter account. Grief has ties to the notorious Russian cybercriminal organization Evil Corp and has recently emerged as a growing ransomware threat. The group displayed screenshots of Excel spreadsheets containing U.S. tax information and investments amounts on its leak site. They also posted a 2.7MB archive titled “National Grants.zip,” according to a report on BleepingComputer. Grief reportedly claimed that the archive contains NRA grant applications.
The NRA is a gun rights advocacy group based in the United States. Founded in 1871 to advance rifle marksmanship, the modern NRA has become a prominent gun rights lobbying organization while continuing to teach firearm safety and competency. The NRA has decided to remain mum on Grief’s claims for now. The organization posted a statement attributed to NRA Managing Director Andrew Arulanandam on its Twitter account, asserting that it “does not discuss matters relating to its physical or electronic security.”
“However, the NRA takes extraordinary measures to protect information regarding its members, donors, and operations and is vigilant in doing so,” according to the statement. Noting that “It’s hard to shoot your way out of a cyberattack,” one security expert suggested that the NRA may not have gone far enough in taking defensive security measures to protect its sensitive data.
“It’s always better to prevent a successful ransomware attack than respond to one,” Tim Erlin, VP of Strategy at cybersecurity firm Tripwire, wrote in an email to Threatpost. “Ensuring that systems are securely configured, that vulnerabilities are patched, and that users are as well trained as possible to spot phishing attempts can go a long way to making the attacker’s job more difficult.”
These days, ransomware groups have become increasingly aggressive and successful at disrupting numerous high-profile companies and critical-infrastructure entities. Experts observed that Grief’s chances of pulling off a ransomware attack on the NRA are likely, even if the organization chooses not to disclose details or acknowledge the incident at this time.
In fact, perhaps it was the group’s handling of the matter that inspired Grief to disclose the attack before the NRA remediated the situation on its own, suggested another security expert. Ransomware groups often disclose data on their websites if a targeted organization refuses to pay ransom after a certain period of time.
“With increasing awareness and an abundance of security and backup options to help companies recover their data after an attack, it makes sense that attackers would shift their methods as a response,” observed Jonathan Tanner, senior security researcher at enterprise security firm Barracuda, in an email to Threatpost. “This method can lead to customers’ data being exposed, confidentiality being broken, and even public embarrassment.”
This can be the case particularly if the targeted organization “may have wanted to handle the incident quietly or if leaked documents contain information of conversations or actions that were less than above board,” he added.
The following is what Red Sky Alliance recommends:
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication-company wide.
- For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
https://www.redskyalliance.org/
https://www.wapacklabs.com/
https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
https://threatpost.com/grief-ransomware-nra/175850/
Comments