{ "id": "c873ce4f-4a72-416d-a456-9a509575fa74", "created_at": "2026-04-06T00:07:04.501815Z", "updated_at": "2026-04-10T03:33:15.532693Z", "deleted_at": null, "sha1_hash": "0b047e7aba9cda6dbff0d1dba993d432515339c1", "title": "NRA: No comment on Russian ransomware gang attack claims", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 779185, "plain_text": "NRA: No comment on Russian ransomware gang attack claims\r\nBy Lawrence Abrams\r\nPublished: 2021-10-27 · Archived: 2026-04-05 19:26:46 UTC\r\nThe Grief ransomware gang claims to have attacked the National Rifle Association (NRA) and released stolen data as proof\r\nof the attack.\r\nToday, the ransomware gang added the NRA as a new victim on their data leak site while displaying screenshots of Excel\r\nspreadsheets containing US tax information and investments amounts. \r\nThe threat actors also leaked a 2.7 MB archive titled 'National Grants.zip,' that we have been told contains alleged NRA\r\ngrant applications\r\nhttps://www.bleepingcomputer.com/news/security/nra-no-comment-on-russian-ransomware-gang-attack-claims/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/nra-no-comment-on-russian-ransomware-gang-attack-claims/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nNRA entry on the Grief ransomware data leak site\r\nEarlier this morning, BleepingComputer contacted the NRA multiple times, including speaking to the NRA's Director of\r\nCommunications Amy Hunter but did not receive any answers regarding the alleged attack.\r\nThe NRA later published a statement saying they do not comment on physical or electronic security of their organization.\r\n\"NRA does not discuss matters relating to its physical or electronic security. However, the NRA takes\r\nextraordinary measures to protect information regarding its members, donors, and operations – and is vigilant in\r\ndoing so.” - Andrew Arulanandam, managing dir., NRA Public Affairs.\r\nGrief tied to Russian hacking group\r\nThe Grief ransomware gang is believed to be tied to a Russian hacking group known as Evil Corp.\r\nEvil Corp has been active since 2009 and has been involved in numerous malicious cyber activities, including the\r\ndistribution of the Dridex trojan to steal online banking credentials and steal money.\r\nThe hacking group turned to ransomware in 2017, when they released ransomware known as BitPaymer. BitPaymer later\r\nmorphed into the DoppelPaymer ransomware operation in 2019.\r\nAfter years of attacking US interests, the US Department of Justice charged members of the Evil Corp for stealing over $100\r\nmillion and added the hacking group to the Office of Foreign Assets Control (OFAC) sanction list.\r\nSoon after, the US Treasury later warned that ransomware negotiators might face civil penalties for facilitating ransom\r\npayments to gangs on the sanction list.\r\nSince then, Evil Corp has been routinely releasing new ransomware strains under different names to evade US sanctions.\r\nThese ransomware families include WastedLocker, Hades, Phoenix CryptoLocker, PayLoadBin, and, more recently,\r\nthe Macaw Locker.\r\nHowever, their original ransomware, DoppelPaymer, ran for years under the same name until May 2021, when they stopped\r\nlisting new victims on their data leak site.\r\nOne month later, the Grief ransomware gang emerged, with security researchers believing to be a rebrand of\r\nDoppelPaymer based on code similarities.\r\nAs Grief is linked to Evil Corp, it is likely that ransomware negotiators will not facilitate ransom payments without the\r\nvictim first getting approval from the OFAC.\r\nhttps://www.bleepingcomputer.com/news/security/nra-no-comment-on-russian-ransomware-gang-attack-claims/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/nra-no-comment-on-russian-ransomware-gang-attack-claims/\r\nhttps://www.bleepingcomputer.com/news/security/nra-no-comment-on-russian-ransomware-gang-attack-claims/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/nra-no-comment-on-russian-ransomware-gang-attack-claims/" ], "report_names": [ "nra-no-comment-on-russian-ransomware-gang-attack-claims" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434024, "ts_updated_at": 1775791995, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0b047e7aba9cda6dbff0d1dba993d432515339c1.pdf", "text": "https://archive.orkl.eu/0b047e7aba9cda6dbff0d1dba993d432515339c1.txt", "img": "https://archive.orkl.eu/0b047e7aba9cda6dbff0d1dba993d432515339c1.jpg" } }