Ransomware: One Percent Makes A Big Impact

Uploaded on 2021-09-13 in GOVERNMENT-Law Enforcement, FREE TO VIEW

The US Federal Bureau of Investigations (FBI) has published its first-ever public advisory detailing the modus operandi of a ransomware affiliate. The warning concerning a criminal gang calling itself One Percent Group which has been targeting companies in the US since November 2020. 

The group’s method is to use the threat emulation software Cobalt Strike to perpetuate ransomware attacks. The infection process begins in the victim's inbox.

"OnePercent Group actors compromised victims through a phishing email in which an attachment is opened by the user," states the FBI warning. "The attachment's macros infect the system with the IcedID banking trojan."

The FBI warning uses a new term 'ransomware affiliate' to describe One Percent, referring  to a person or group who rent access to Ransomware-as-a-Service (RaaS) platforms', to orchestrates intrusions into corporate networks, encrypt files with the “rented ransomware,” and then earn a commission from successful extortions.

The malicious attachment appears as a zip file containing a Microsoft Word or Excel document. Once activated, the trojan downloads extra software onto the victim's computer, including Cobalt Strike, which the FBI said "moves laterally in the network, primarily with PowerShell removing."

The extortion/data leak typically follows these steps: 

Leak Warning:   After initially gaining access to a victim network, OnePercent Group actors leave a ransom note stating the data has been encrypted and exfiltrated. The note states the victim needs to contact the OnePercent Group actors on TOR or the victim data will be leaked. If the victim does not make prompt communication within a week of infection, the OnePercent Group actors follow up with emails and phone calls to the victim stating the data will be leaked. 

One Percent Leak:  If the victim does not pay the ransom quickly, the OnePercent Group actors threaten to release a portion of the stolen data to various clearnet websites. 

Full Leak:    If the ransom is not paid in full after the “one percent leak”, OnePercent Group actors threaten to sell the stolen data to the Sodinokibi Group to publish at an auction. 

The FBI said that OnePercent Group threat actors have been spotted entering a victim's network around a month before ransomware is deployed.   US companies are urged by the FBI to back-up their critical data offline and use multi-factor authentication with strong passphrases to protect themselves from ransomware attacks. 

IC3:        Bleeping Computer:          The Record:         Infosecurity Magazine

You Might Also Read: 

FBI & CISA Advice On Ransomware Attacks:

 

« Outdated Strategies In Maritime Cyber Security
Mēris Botnet Goes Global »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Echelon

Echelon

Echelon Company is a provider of information security services specializing in certification of security software and hardware products in Russia.

Advenica

Advenica

Advenica develops, manufactures and sells innovative cybersecurity solutions for encryption and secure information exchange.

Secnology

Secnology

Secnology is dedicated to developing and providing the most powerful and user friendly event analysis and security management solution.

Gemserv

Gemserv

Gemserv is a specialist market design, governance and assurance services consultancy.

BigWeb Technologies

BigWeb Technologies

BigWeb Technologies is dedicated to provide its clients with ICT related services including Infrastructure Solutions, Consultancy and Security.

Gradiant

Gradiant

Gradiant’s mission is to contribute to the growth and competitive improvement of Galician businesses through technology development and innovation using ICT.

Highland Capital Partners

Highland Capital Partners

Highland Capital Partners is an early stage venture capital firm focused on category-defining businesses in consumer and enterprise technology, including cybersecurity.

United Network Technologies

United Network Technologies

United Network Technologies is a leading Managed Services Provider, distributor and developer of specialised cyber security components and technologies.

Gigit

Gigit

Gigit’s Service portfolio focuses on your business’ needs and the integration of comprehensive cybersecurity policies, plans, procedures, and practices into your business culture and operations.

Cybolt

Cybolt

Cybolt helps companies, organizations, and governments manage digital risks and live in an environment of confidence and certainty.

Ibento Global

Ibento Global

Ibento organises the CyberX series of cybersecurity conferences.

Extreme Networks

Extreme Networks

Since 1996, Extreme has been pushing the boundaries of networking technology, driven by a vision of making it simpler and faster as well as more agile and secure.

Cydea

Cydea

Cydea are an optimistic cyber security consultancy of experts in security, data, technology and design that want to build a safer, more secure world where more things go right.

IONIX

IONIX

IONIX (formerly Cyberpion) is the attack surface management solution that uses Connective Intelligence to shine a spotlight on exploitable risks across your supply chain.

turingpoint

turingpoint

turingpoint GmbH is a tech enabled boutique consultancy. It was founded by security experts with a focus on cyber security and software solutions.

Network Coverage

Network Coverage

Network Coverage align, maintain, and integrate technology and cloud solutions with business operations to improve productivity and security with as few issues and disruptions as possible.