OnePercent Ransomware Targeting Organizations Since 2020

Share post:

The FBI recently issued a warning about a threat actor called OnePercent Group, which has been actively attacking U.S. organizations in ransomware attacks since November 2020.

In a blitz warning issued Monday, the FBI released indicators of compromises, tactics, techniques and procedures (TTP), as well as mitigation measures.

The threat actors use malicious phishing email attachments that drop IcedID banking trojan payload on the target’s systems. After infecting them with the trojan, the hackers download Cobalt Strike and install it on compromised endpoints for deeper exploits on the victims’ networks.

OnePercent Group encrypts the data and exfiltrates it from the systems of the victims. They contact the victims by phone and e-mail and threaten to release the stolen data through The Onion Router (TOR) network and clearnet, unless a ransom is paid in virtual currency.

After accessing the networks of their victims for up to a month and exfiltrating files before installing the ransomware payloads, OnePercent will then move to encrypt files through a random eight-character extension (e.g., dZCqciA) and adds uniquely named ransom notices that link to the group’s website.

Victims can use the TOR website to obtain more information about the ransom demanded, negotiate with cybercriminals and receive “technical support.’

Victims are asked to pay the ransom in most cases in bitcoin, with a decryption key provided up to 48 hours after payment.

The FBI also said that the ransomware affiliate will contact its victims with fake phone numbers, and threatened to hand over the stolen data if they do not receive a negotiator of the company.

Applications and services used by OnePercent Group operators include AWS S3 cloud, IcedID, Cobalt Strike, Powershell, Rclone, Mimikatz, SharpKatz, BetterSafetyKatz, SharpSploit.

The FBI linked the OnePercent Group to the notorious Ransomware gang REvil (Sodinokibi) ransomware gang, whose data leak website used the former to leak and auction the files of its victims.

It became known that the hacking group may be a “cartel” partner of REvil, carrying out their own attacks and ransoms and cooperating only with REvil if they cannot generate a payment themselves.

For more information, read the original story in Bleeping Computer.

Featured Tech Jobs


Related articles

Cyber Security Today, April 24, 2024 – Good news/bad news in Mandiant report, UnitedHealth admits paying a ransomware gang, and more

This episode reports on the danger of using expired open-source packages, a tool used by a Russian hacking group and passw

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways