The Federal Bureau of Investigation (FBI) has published a flash alert detailing the activities of a cybercriminal group nicknamed “OnePercent Group” that has been conducting ransomware attacks against US organizations since November last year.

According to the agency, the threat actor hacks into networks using phishing emails delivering the IcedID banking trojan, which, in turn, downloads additional software, including the Cobalt Strike tool to move laterally in the targeted network. Other malware deployed by the hackers include tools like Rclone, AWS S3 cloud, Mimikatz, Powershell, SharpKatz, BetterSafetyKatz, and SharpSploit.

“OnePercent Group actors encrypt the data and exfiltrate it from the victims’ systems. The actors contact the victims via telephone and email, threatening to release the stolen data through The Onion Router (TOR) network and clearnet, unless a ransom is paid in virtual currency. OnePercent Group actors’ extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data,” the flash alert reads.

“Once the ransomware is successfully deployed, the victim will start to receive phone calls through spoofed phone numbers with ransom demands and are provided a ProtonMail email address for further communication. The actors will persistently demand to speak with a victim company’s designated negotiator or otherwise threaten to publish the stolen data. When a victim company does not respond, the actors send subsequent threats to publish the victim company’s stolen data via the same ProtonMail email address.”

The FBI did mention that OnePercent Group threatens to sell the stolen data to the REvil/Sodinokibi ransomware group if the ransom is not paid, but it did not provide any additional information. However, cybersecurity experts believe that the OnePercent Group actor is likely an affiliate of REvil.

The US federal law enforcement agency has also shared indicators of compromise, tactics, techniques, and procedures (TTP), and mitigation measures to help organizations prevent such attacks.