Subscribe

OnePercent Ransomware Targeting Organizations Since 2020

August 25, 2021

The FBI recently issued a warning about a threat actor called OnePercent Group, which has been actively attacking U.S. organizations in ransomware attacks since November 2020.

In a blitz warning issued Monday, the FBI released indicators of compromises, tactics, techniques and procedures (TTP), as well as mitigation measures.

The threat actors use malicious phishing email attachments that drop IcedID banking trojan payload on the target’s systems. After infecting them with the trojan, the hackers download Cobalt Strike and install it on compromised endpoints for deeper exploits on the victims’ networks.

OnePercent Group encrypts the data and exfiltrates it from the systems of the victims. They contact the victims by phone and e-mail and threaten to release the stolen data through The Onion Router (TOR) network and clearnet, unless a ransom is paid in virtual currency.

After accessing the networks of their victims for up to a month and exfiltrating files before installing the ransomware payloads, OnePercent will then move to encrypt files through a random eight-character extension (e.g., dZCqciA) and adds uniquely named ransom notices that link to the group’s website.

Victims can use the TOR website to obtain more information about the ransom demanded, negotiate with cybercriminals and receive “technical support.’

Victims are asked to pay the ransom in most cases in bitcoin, with a decryption key provided up to 48 hours after payment.

The FBI also said that the ransomware affiliate will contact its victims with fake phone numbers, and threatened to hand over the stolen data if they do not receive a negotiator of the company.

Applications and services used by OnePercent Group operators include AWS S3 cloud, IcedID, Cobalt Strike, Powershell, Rclone, Mimikatz, SharpKatz, BetterSafetyKatz, SharpSploit.

The FBI linked the OnePercent Group to the notorious Ransomware gang REvil (Sodinokibi) ransomware gang, whose data leak website used the former to leak and auction the files of its victims.

It became known that the hacking group may be a “cartel” partner of REvil, carrying out their own attacks and ransoms and cooperating only with REvil if they cannot generate a payment themselves.

For more information, read the original story in Bleeping Computer.

Top Stories

New Deepfakes Can Mimic Heartbeats, Evading Detection Tools

RBC Pushes Employees Back to Office to Preserve ‘Winning Culture’

Microsoft Azure Closes Cloud Gap with AWS as AI and Enterprise Migrations Fuel Growth

Sleeper Supply Chain Attack Activates After 6 Years

Dell has another major round of layoffs

One of the biggest data breaches ever, billions of users affected

Related Articles

65% of Canadians Still Reusing Passwords Despite Identity Theft Fears, Okta Study

June 24, 2025 A new report from Okta shows that despite growing fears about identity theft, most more...

Ottawa Warns of China-Linked Hack on Canadian Telecom Gear

June 23, 2025 Canada’s cybersecurity agency and the U.S. Federal Bureau of Investigation have confirmed that a more...

Copilot Exploit Shows How AI Agents Can Be Hijacked to Steal Corporate Data

June 12, 2025 A new vulnerability discovered in Microsoft Copilot has raised urgent concerns about the security more...

Sleeper Supply Chain Attack Activates After 6 Years

May 6, 2025 A coordinated supply chain attack has compromised between 500 and 1,000 e-commerce websites by more...

Jim Love

Jim is and author and podcast host with over 40 years in technology.

Share:
Facebook
Twitter
LinkedIn
Tech News Day is a daily publication featuring key news stories about technology and how it affects businesses.

Follow Us

X-twitter Linkedin-in

Popular categories

Tech News Delivered

New, Relevant Tech Stories. Our selection is done by industry professionals – executives like you who pick the top stories for that day. Our writers summarize them to give you the key takeaways.
Subscribe
© 2025 TECHNEWSDAY. All rights reserved.