August 25, 2021
The FBI recently issued a warning about a threat actor called OnePercent Group, which has been actively attacking U.S. organizations in ransomware attacks since November 2020.
In a blitz warning issued Monday, the FBI released indicators of compromises, tactics, techniques and procedures (TTP), as well as mitigation measures.
The threat actors use malicious phishing email attachments that drop IcedID banking trojan payload on the target’s systems. After infecting them with the trojan, the hackers download Cobalt Strike and install it on compromised endpoints for deeper exploits on the victims’ networks.
OnePercent Group encrypts the data and exfiltrates it from the systems of the victims. They contact the victims by phone and e-mail and threaten to release the stolen data through The Onion Router (TOR) network and clearnet, unless a ransom is paid in virtual currency.
After accessing the networks of their victims for up to a month and exfiltrating files before installing the ransomware payloads, OnePercent will then move to encrypt files through a random eight-character extension (e.g., dZCqciA) and adds uniquely named ransom notices that link to the group’s website.
Victims can use the TOR website to obtain more information about the ransom demanded, negotiate with cybercriminals and receive “technical support.’
Victims are asked to pay the ransom in most cases in bitcoin, with a decryption key provided up to 48 hours after payment.
The FBI also said that the ransomware affiliate will contact its victims with fake phone numbers, and threatened to hand over the stolen data if they do not receive a negotiator of the company.
Applications and services used by OnePercent Group operators include AWS S3 cloud, IcedID, Cobalt Strike, Powershell, Rclone, Mimikatz, SharpKatz, BetterSafetyKatz, SharpSploit.
The FBI linked the OnePercent Group to the notorious Ransomware gang REvil (Sodinokibi) ransomware gang, whose data leak website used the former to leak and auction the files of its victims.
It became known that the hacking group may be a “cartel” partner of REvil, carrying out their own attacks and ransoms and cooperating only with REvil if they cannot generate a payment themselves.
For more information, read the original story in Bleeping Computer.
