Ransomware: One Percent Makes A Big Impact

Uploaded on 2021-09-13 in GOVERNMENT-Law Enforcement, FREE TO VIEW

The US Federal Bureau of Investigations (FBI) has published its first-ever public advisory detailing the modus operandi of a ransomware affiliate. The warning concerning a criminal gang calling itself One Percent Group which has been targeting companies in the US since November 2020. 

The group’s method is to use the threat emulation software Cobalt Strike to perpetuate ransomware attacks. The infection process begins in the victim's inbox.

"OnePercent Group actors compromised victims through a phishing email in which an attachment is opened by the user," states the FBI warning. "The attachment's macros infect the system with the IcedID banking trojan."

The FBI warning uses a new term 'ransomware affiliate' to describe One Percent, referring  to a person or group who rent access to Ransomware-as-a-Service (RaaS) platforms', to orchestrates intrusions into corporate networks, encrypt files with the “rented ransomware,” and then earn a commission from successful extortions.

The malicious attachment appears as a zip file containing a Microsoft Word or Excel document. Once activated, the trojan downloads extra software onto the victim's computer, including Cobalt Strike, which the FBI said "moves laterally in the network, primarily with PowerShell removing."

The extortion/data leak typically follows these steps: 

Leak Warning:   After initially gaining access to a victim network, OnePercent Group actors leave a ransom note stating the data has been encrypted and exfiltrated. The note states the victim needs to contact the OnePercent Group actors on TOR or the victim data will be leaked. If the victim does not make prompt communication within a week of infection, the OnePercent Group actors follow up with emails and phone calls to the victim stating the data will be leaked. 

One Percent Leak:  If the victim does not pay the ransom quickly, the OnePercent Group actors threaten to release a portion of the stolen data to various clearnet websites. 

Full Leak:    If the ransom is not paid in full after the “one percent leak”, OnePercent Group actors threaten to sell the stolen data to the Sodinokibi Group to publish at an auction. 

The FBI said that OnePercent Group threat actors have been spotted entering a victim's network around a month before ransomware is deployed.   US companies are urged by the FBI to back-up their critical data offline and use multi-factor authentication with strong passphrases to protect themselves from ransomware attacks. 

IC3:        Bleeping Computer:          The Record:         Infosecurity Magazine

You Might Also Read: 

FBI & CISA Advice On Ransomware Attacks:

 

« Outdated Strategies In Maritime Cyber Security
Mēris Botnet Goes Global »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Backup Systems

Backup Systems

Backup Systems is a leading backup and disaster recovery systems provider across the UK.

vArmour

vArmour

vArmour is the industry’s first distributed security system that provides insight and control for multi-cloud environments.

CLUSIF

CLUSIF

Clusif is the reference association for digital security in France. Its mission is to promote the exchange of ideas and feedback through working groups, conferences and publications.

Hivint

Hivint

Hivint is a new kind of Information Security professional services company enabling collaboration between our clients to reduce unnecessary security spend.

KOBIL

KOBIL

KOBIL is a pioneer in the fields of smart card, one-time password, authentication and cryptography.

Intelligent Business Solutions Cyprus (IBSCY)

Intelligent Business Solutions Cyprus (IBSCY)

IBSCY Ltd is a leading provider of total IT solutions and services in Cyprus specializing in the areas of cloud services and applications, systems integration, IT infrastructure and security.

Jobsora

Jobsora

Jobsora is an innovative job search platform in the UK and more than 35 other countries around the world. Sectors covered include IT and cybersecurity.

Cingo Solutions

Cingo Solutions

Cingo Solutions is a Managed Detection & Response company providing specialized data security services.

Sigma IT

Sigma IT

SIGMA IT is one of the largest IT services organizations in EMEA region providing a full range of solutions and services including cybersecurity, data protection and business continuity.

Banshie

Banshie

Banshie is an independent cyber security company with a small team of recognized specialist that are among the best in their field.

Cranfield University

Cranfield University

Cranfield Defence and Security are at the forefront of their fields, offering capabilities ranging from cyber security and digital warfare to robotics, forensic sciences and simulation and analytics.

Aura

Aura

Aura is a mission driven technology company dedicated to creating a safer internet for everyone. We’re making comprehensive digital security that's simple to understand and easy to use.

ReasonLabs

ReasonLabs

ReasonLabs have created a next-generation anti-virus that is enterprise grade, yet accessible to any personal device around the world.

GrayHats

GrayHats

GrayHats is a platform-based cybersecurity company devoted to delivering comprehensive, scalable, and proactive protection for businesses in an ever-evolving threat landscape.

TrustNet

TrustNet

TrustNet helps mid-to-large firms build trust through top-tier cybersecurity, compliance, and consulting—offering complete managed services all in one place.

CloudQuery

CloudQuery

CloudQuery - bringing clarity into cloud infrastructure. The developer-first cloud governance platform for full visibility into security, compliance, and cost.