Grief
Grief is a ransomware operation described in the provided content as having ties to the Russian cybercrime group Evil Corp and as an offshoot of DoppelPaymer, which itself evolved from Evil Corp. The group conducts double-extortion activity by stealing data and threatening to leak additional files unless an undisclosed ransom is paid. In the cited NRA incident, Grief posted the victim on its leak site, claimed to possess 13 files allegedly taken from NRA databases, and exposed material that reportedly included recent board meeting minutes, grant-related documents, and tax forms. The content also notes reporting that messaging around the NRA breach was amplified by a network of fake Twitter accounts, although public attribution did not establish that the network belonged to Grief. The group is reported to have spent much of 2021 targeting U.S. school districts and local governments, with additional attacks against government, healthcare, and education entities in states including New York, Alabama, Mississippi, Indiana, Washington, and Texas. Because of its reported Evil Corp lineage, ransom payments associated with Grief may carry U.S. sanctions risk. High-confidence behaviors directly mentioned in the content include operation of a public leak site, extortion through threatened publication of stolen data, and targeting of U.S. organizations including the National Rifle Association.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
After the notorious Grief ransomware group added the National Rifle Association to its public list of victims, messages of the breach was reportedly amplified by a network of fake Twitter accounts.
The Grief ransomware gang -- which has ties to the prolific Russian cybercrime group Evil Corp -- posted about the NRA on its leak site... It threatened to leak more files if the NRA did not pay an undisclosed ransom.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Impact
2 techniquesThe Grief ransomware gang -- which has ties to the prolific Russian cybercrime group Evil Corp -- posted about the NRA on its leak site... It threatened to leak more files if the NRA did not pay an undisclosed ransom.
Cybersecurity researchers began posting about the incident on Wednesday after Grief said it had 13 files allegedly from the NRA's databases... It threatened to leak more files if the NRA did not pay an undisclosed ransom.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware family/group involved in extortion against victims, including public shaming and leak threats; the content describes it as an offshoot of DoppelPaymer.
Ransomware used in extortion attacks, including data theft and leak-site pressure tactics against victims.
Ransomware used to extort victims by stealing data and threatening to leak additional files unless a ransom is paid.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.