The Federal Bureau of Investigation (FBI) has issued a cybersecurity alert on OnePercent Group Ransomware. The alert includes technical details on cyberattack, tools used and indicators of compromise.
An excerpt from the FBI alert:
“The FBI has learned of a cyber-criminal group who self identifies as the ‘OnePercent Group’ and who have used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020. OnePercent Group actors compromise victims through a phishing email in which an attachment is opened by the user. The attachment’s macros infect the system with the IcedID banking trojan. IcedID downloads additional software to include Cobalt Strike. Cobalt Strike moves laterally in the network, primarily with PowerShell remoting.”
Once they gain access to the data, the OnePercent Group will encrypt and then exfiltrate the data from their victims’ systems.
The OnePercent Group is notorious for leaving ransom notes warning they will leak a small percentage of stolen data (hence the name “one percent”) unless their victims pay quickly. The ransomware gang will give their victims up to week to contact them and will then follow-up with phone calls and emails threatening to release the stolen data through The Onion Router (TOR) network and clearnet.
Finally, if the ransom is not paid in full, the actors will then sell all the stolen data to the Sodinokibi Group and published at an auction.
According to the FBI, the OnePercent Group uses the following tools in their ransomware attacks:
- AWS S3 cloud
- Cobalt Strike
Although many of these tools are legitimate, attackers often use them to assist them in compromising or exploring for new exploits on victims’ networks.
Readers can check out the full FBI report for more technical details and indicators of compromise (IoC).
- FBI identifies 16 Conti ransomware attacks targeting US healthcare and first responder networks
- CISA and FBI alert: DarkSide ransomware used in Colonial Pipeline cyberattack (and mitigation guidance) – updated
- FBI warns of PYSA Ransomware attacks against schools in the U.S. and U.K.
- Emotet malware active threat drops IcedID Trojan
- FBI: Beware of banking trojans and fake mobile banking apps