Wednesday, d The Russian ransomware group Griff posted a sample of data claiming it had been stolen from the National Rifle Association. Working with ransomware A pain in any situation. But grief presents even more complexity, because the group is attached to it The infamous Evil Corporation gang, Which has been under US Treasury sanctions since December 2019. Even if you Decide to pay Stop mourning, you could face serious fines.
The U.S. government has been increasingly aggressive in imposing sanctions on cybercriminal groups, and the White House has indicated in recent months that other ransomware actors may soon be blacklisted. And as these efforts grow, they are shaping the same approach to ransomware actors and victims.
The NRA did not confirm the attack or confirm the validity of the alleged stolen document, which researchers say included a grant application, a letter of political approval, and materials related to the apparent minutes from a recent NRA meeting. Apparently, they added that the NRA hit with ransomware late last weekend or over the weekend, Which is aligned with the report The organization’s email system was down.
On Friday, Mourning removed the NRA posting from its dark web site. Brett Callo, a threat analyst at antivirus company MCSoft, has warned against reading too much into that development. Delisting may indicate that a payment has occurred, but it may also simply mean that the group has entered into negotiations with the victims, who may instead buy time to investigate the situation and formulate a response plan. Attackers will also occasionally abandon extortion attempts if the incident draws too much attention from law enforcement agencies.
More interesting, perhaps, is the grief itself, which is just one of many fronts for most researchers Evil Corporation. In light of the obscure web of ransomware actors and their malware, some researchers believe that Griff is a spinoff group rather than the Evil Corporation. Analysts look at the methods and infrastructure of attackers, including indicators such as encryption file formats and distribution mechanisms, to uncover links. Sadly, the group has technical similarities with other Evil Corporation-affiliated organizations, such as DoppelPemer, and uses Drydex botnets পণ্য historically Evil Corp’s signature products.
“Sadness has been working slowly and steadily for some time,” Callo said. “What we’ve seen is that Evil Corp deceives companies into paying for cycling through different brands, they don’t realize they’re dealing with an authorized entity, or perhaps for their reasonable denial.”
Ransomware experts believe the sanctions did not deter Evil Corp from attacking targets and paying for them. But they seem to have influenced the group’s activities, forcing hackers to impose restrictions on how they present themselves and how they interact with victims.
“It’s interesting, we don’t often see ransomware actors pretending to be another group, because you want to make sure you get paid,” said Alan Liska, an analyst at security firm Recorded Futures. “If you were hit by a conti or lockbeat, you know you were hit by a conti or lockbeat. So I think it indicates a change in behavior due to the ban. DoppelPaymer, Sadness, and several other ransomware strains and groups are affiliated with Evil Corp. “