OnePercent Ransomware Group Has Hit US Companies Since November | Digital Guardian

The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

OnePercent Ransomware Group Has Hit US Companies Since November

by Chris Brook on Wednesday August 25, 2021

Contact Us
Free Demo
Chat

The group, like other malicious campaigns of late, has been using Cobalt Strike to carry out ransomware attacks against companies.

The FBI released more information this week designed to better help defenders mitigate ransomware attacks.

Specifically, the FBI released details, tactics, techniques, and procedures (TTP) and indicators of compromise (IOCs) corresponding to ransomware attacks carried out by a previously unknown outfit dubbed the OnePercent Group.

The FBI said in a Flash Alert on Monday the group has been using Cobalt Strike, a popular commercial penetration testing tool, to carry out ransomware attacks dating back to November 2020.

The attackers have been using fairly traditional techniques to get into systems, enticing victims into opening phishing emails and opening attachments, which naturally, are Word or Excel files rigged with macros that go on to spread malware - in this instance, the IcedID banking trojan. From there, IcedID downloads and installs Cobalt Strike. Now, being able to move around freely within the network, the attackers steal data, encrypt it, exfiltrate it, and threaten to release it online - via an auction or public website - unless a ransom is paid.

Cobalt Strike, a threat emulation toolkit originally used by network defenders to train them to understand vulnerabilities, has become increasingly co-opted by attackers, mostly as a second-stage payload in malware campaigns. More recently, attackers involved in the SolarWinds compromise used it to drop an implant, known as a Beacon, to facilitate lateral movement. The beacon is also used for encrypted communication with the attackers’ command and control server.

While the FBI doesn't outright connect the two, it does hint at a connection between OnePercent and the attackers behind the REvil aka Sodinokibi strain of ransomware. In describing the group's efforts around extortion and leaking data, the FBI says if the ransom isn't paid by victims after the group leaks a portion of the data, it will threaten to sell the data to the Sodinokibi group to publish at an auction, suggesting it has some form of relationship with REvil. Bleeping Computer likened the relationship to a cartel partner on Monday. Basically, when the group can't get victims to pay up, they send the data to REvil.

The FBI provides a number of recommendations for organizations to follow to mitigate ransomware from the group, including being on the lookout for specific hashes associated with rclone, a command line program, ensuring critical data is backed up online and that devices and applications are kept up to date.

The agency also used the alert as an opportunity to direct organizations to its new website designed to aid in preventing ransomware, stopransomware.gov. The site, launched a few weeks ago, has several FAQs, tips, and a link to reporting portals, like their Internet Crime Complaint Center and CISA's form.

The FBI alert provides more guidance for industries like the healthcare sector, which continues to be targeted in ransomware attacks.

John Riggi, the American Hospital Association's senior advisor for cybersecurity and risk advocated on Tuesday that hospitals and healthcare facilities follow the FBI's guidance.

"As we have seen several high-impact ransomware attacks targeting hospitals and health systems since Aug. 2, I recommend that any and all ransomware alerts issued by the government be given special attention. I and the AHA are closely coordinating with FBI, the Cybersecurity & Infrastructure Security Agency and HHS to exchange information relevant to ransomware attacks for the benefit of the field.”

Tags: Ransomware

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.