The Federal Bureau of Investigation (FBI) has published a flash alert about a threat actor known as OnePercent Group that has been actively targeting US organizations in ransomware attacks since at least November 2020.
The alert includes tactics, techniques, and procedures (TTP), along with indicators of compromise related to group.
The flash alert also provides mitigation measures.
“The FBI has learned of a cyber-criminal group who self identifies as the “OnePercent Group” and who have used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020. OnePercent Group actors compromise victims through a phishing email in which an attachment is opened by the user. The attachment’s macros infect the system with the IcedID1 banking trojan. IcedID downloads additional software to include Cobalt Strike. Cobalt Strike moves laterally in the network, primarily with PowerShell remoting. OnePercent Group actors encrypt the data and exfiltrate it from the victims’ systems. The actors contact the victims via telephone and email, threatening to release the stolen data through The Onion Router (TOR) network and clearnet, unless a ransom is paid in virtual currency.” reads the alert published by the FBI and published by BleepingComputer. “OnePercent Group actors’ extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data.”
The group leverages phishing messages that use attachments that drop IcedID banking trojan payload on the targets’ systems. The Trojan in used to drop and install Cobalt Strike on the infected system and use it for lateral movement throughout the victims’ networks.
The threat actors have been observed remaining within the victim’s network for approximately one month during which they exfiltrate documents prior to encrypt files with the ransomware payloads.
“Once the ransomware is successfully deployed, the victim will start to receive phone calls through spoofed phone numbers with ransom demands and are provided a ProtonMail email address for further communication. The actors will persistently demand to speak with a victim company’s designated negotiator or otherwise threaten to publish the stolen data.” continues the alert. “When a victim company does not respond, the actors send subsequent threats to publish the victim company’s stolen data via the same ProtonMail email address.”
OnePercent group encrypts files and appends to their filenames a random eight-character extension (e.g., dZCqciA) and will add uniquely named ransom notes that includes reference to the .onion website operated by the threat actors.
This onion website is used to communicate the ransom amount and provide technical support to the victims that could also use it to negotiate via an online chat functionality implemented by the service.
The group accepts Bitcoin for payments, decryption key will be provided in 24-48 hours after payment.
The group use multiple applications and services in its operations, includeìing AWS S3 cloud, IcedID, Cobalt Strike, Powershell, Rclone, Mimikatz, SharpKatz, BetterSafetyKatz, SharpSploit.
“While the FBI hasn’t provided any information on OnePercent Group’s past attacks, two of the command-and-control servers mentioned in FBI’s IOC list (golddisco[.]top and june85[.]cyou) also shows up on FireEye’s report on the UNC2198 threat actor who ICEDID to deploy Maze and Egregor ransomware.” reported BleepingComputer.
Below recommendations provided by the FBI:
(SecurityAffairs – hacking, FBI)