The U.S. National Rifle Association has been struck by a ransomware attack and data was reportedly stolen.

The attack was first disclosed by Grief, a ransomware gang reportedly linked to prolific Russian ransomware gang Evil Corp. The gang has published 13 stolen documents as proof of the attack, including minutes from a recent NRA meeting. Other files published include documents related to grants. Grief threatened to publish more files if the NRA did not pay the ransom demanded.

As reported earlier this year, the Grief ransomware gang previously went by the name of DoppelPaymer. The Grief name is said to be a short form of the group’s full name “a.k.a. Pay or Grief.” DoppelPaymer, now Grief, is a well-known ransomware gang. Known DoppelPaymer ransomware attacks include those targeting Kia Motors America Inc., a Foxconn (Hon Hau Precision Industry Co.) plant in Mexico, “Big Brother” producer Endemol Shine and Mexican state-owned petroleum firm Pemex.

Grief is a double-tap ransomware gang, so called because it both encrypts files and steals data. In doing so, it demands a ransom not only for a decryption key but also a promise not to publish stolen files.

DopplePaymer’s previous successful ransomware attacks typically involved spear-phishing as their attack vector.

The NRA has confirmed the attack, though with little in the way of details. NRA public affairs managing director Andrew Arulanandam said on Twitter that although the organization does not discuss matters relating to security, “the NRA takes extraordinary measures to protect information regarding its members, donors, and operations – and is vigilant in doing so.”

If Grief is linked to Evil Corp. as well, it may limit the NRA’s options. AS ZDNet noted, Evil Corp was sanctioned by the U.S. government in 2019, meaning that the NRA can’t legally pay the ransom without government permission.

“Data leaks and extortion have become an increasingly common tactic among ransomware groups,” Jonathan Tanner, senior security researcher at data protection firm Barracuda Networks Inc., told SiliconANGLE. “With increasing awareness and an abundance of security and backup options to help companies recover their data after an attack, it makes sense that attackers would shift their methods as a response.”

Tanner added that “this method can lead to customers’ data being exposed, confidentiality being broken, and even public embarrassment, either if the company may have wanted to handle it quietly or if leaked documents contain information of conversations or actions that were less than aboveboard.”

Photo: Ingold Nistad/Flickr