FBI issues alert on OnePercent Group Ransomware attacks

The Federal Bureau of Investigation (FBI) has issued a cybersecurity alert on OnePercent Group Ransomware. The alert includes technical details on cyberattack, tools used and indicators of compromise.

An excerpt from the FBI alert:

“The FBI has learned of a cyber-criminal group who self identifies as the ‘OnePercent Group’ and who have used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020. OnePercent Group actors compromise victims through a phishing email in which an attachment is opened by the user. The attachment’s macros infect the system with the IcedID banking trojan. IcedID downloads additional software to include Cobalt Strike. Cobalt Strike moves laterally in the network, primarily with PowerShell remoting.”

Once they gain access to the data, the OnePercent Group will encrypt and then exfiltrate the data from their victims’ systems.

The OnePercent Group is notorious for leaving ransom notes warning they will leak a small percentage of stolen data (hence the name “one percent”) unless their victims pay quickly. The ransomware gang will give their victims up to week to contact them and will then follow-up with phone calls and emails threatening to release the stolen data through The Onion Router (TOR) network and clearnet.

Finally, if the ransom is not paid in full, the actors will then sell all the stolen data to the Sodinokibi Group and published at an auction.

Tools used

According to the FBI, the OnePercent Group uses the following tools in their ransomware attacks:

AWS S3 cloud
BetterSafetyKatz
Cobalt Strike
IcedID
Mimikatz
Powershell
Rclone
SharpKatz
SharpSploit.

Although many of these tools are legitimate, attackers often use them to assist them in compromising or exploring for new exploits on victims’ networks.

Readers can check out the full FBI report for more technical details and indicators of compromise (IoC).

Tools used

Related Articles