The Federal Bureau of Investigation’s Cyber Division has issued a flash warning over an organized cyber-criminal gang calling itself OnePercent Group.
In a TLP: WHITE alert published Monday, the FBI said the group has been targeting companies in the United States since November 2020.
OnePercent’s modus operandi is to use the threat emulation software Cobalt Strike to perpetuate ransomware attacks. The infection process begins in the victim’s inbox.
“OnePercent Group actors compromised victims through a phishing email in which an attachment is opened by the user,” states the FBI warning. “The attachment’s macros infect the system with the IcedID banking trojan.”
The malicious attachment appears as a zip file containing a Microsoft Word or Excel document. Once activated, the banking trojan downloads extra software onto the victim’s computer, including Cobalt Strike, which the FBI said “moves laterally in the network, primarily with PowerShell removing.”
After accessing a victim’s computer, OnePercent encrypts their data and exfiltrates it from the network using rclone. A virtual ransom note is left that tells the victim they have one week from the date of infection to make contact with the ransomware group.
“OnePercent Group actors’ extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data,” warned the FBI.
If no contact is made, the group contacts the victim via a ProtonMail email address or over the phone using spoofed phone numbers. Victims are told that a small portion of their data will be leaked through The Onion Router (TOR) network and clearnet, unless a ransom payment is made.
Should a victim refuse to pay up after this initial “one percent leak,” the ransomware group threatens to sell their data to the ransomware gang Sodinokibi (REvil) to publish at an auction.
The FBI said that OnePercent Group threat actors have been spotted entering a victim’s network around a month before ransomware is deployed.
US companies are urged by the FBI to back-up their critical data offline and use multi-factor authentication with strong passphrases to protect themselves from ransomware attacks.