The Federal Bureau of Investigation (FBI) has shared data a few menace actor often known as OnePercent Group that has been actively focusing on US organizations in ransomware assaults since no less than November 2020.
The US federal regulation enforcement company shared indicators of compromise, techniques, strategies, and procedures (TTP), and mitigation measures in a flash alert revealed on Monday.
“The FBI has realized of a cyber-criminal group who self identifies because the ‘OnePercent Group’ and who’ve used Cobalt Strike to perpetuate ransomware assaults towards US corporations since November 2020,” the FBI said.
“OnePercent Group actors encrypt the information and exfiltrate it from the victims’ techniques. The actors contact the victims through phone and e mail, threatening to launch the stolen knowledge by The Onion Router (TOR) community and clearnet, until a ransom is paid in digital forex.”
Victims’ networks breached through phishing
The menace actors use malicious phishing e mail attachments that drop IcedID banking trojan payload on targets’ techniques. After infecting them with the trojan, the attackers obtain and set up Cobalt Strike on compromised endpoints for lateral motion all through the victims’ networks.
After sustaining entry to their victims’ networks for as much as one month and exfiltrating information earlier than deploying the ransomware payloads, OnePercent will encrypt information utilizing a random eight-character extension (e.g., dZCqciA) and can add uniquely named ransom notes linking to the gang’s .onion web site.
Victims can use the Tor web site to get extra data on the demanded ransom, negotiate with the attackers, and get “technical help.’
Victims will probably be requested to pay the ransom in bitcoins typically, with a decryption key supplied as much as 48 hours after the cost is made.
Purposes and companies utilized by the OnePercent Group operators embrace AWS S3 cloud, IcedID, Cobalt Strike, Powershell, Rclone, Mimikatz, SharpKatz, BetterSafetyKatz, SharpSploit.
Victims threatened through cellphone calls
In accordance with the FBI, OnePercent Group menace actors may also attain out to their victims utilizing spoofed cellphone numbers, threatening to leak the stolen knowledge until they’re related with an organization negotiator.
“As soon as the ransomware is efficiently deployed, the sufferer will begin to obtain cellphone calls by spoofed cellphone numbers with ransom calls for and are supplied a ProtonMail e mail handle for additional communication,” the FBI added.
“The actors will persistently demand to talk with a sufferer firm’s designated negotiator or in any other case threaten to publish the stolen knowledge.
“When a sufferer firm doesn’t reply, the actors ship subsequent threats to publish the sufferer firm’s stolen knowledge through the identical ProtonMail e mail handle.”
Whereas the FBI hasn’t supplied any data on OnePercent Group’s previous assaults, two of the command-and-control servers talked about in FBI’s IOC checklist (golddisco[.]high and june85[.]cyou) additionally reveals up on FireEye’s report on the UNC2198 threat actor who ICEDID to deploy Maze and Egregor ransomware.
The identical IOCs had been additionally talked about in a Team Cymru report from May 2021 on mapping energetic IcedID community infrastructure.