The FBI’s cyber division issued a warning regarding a cyber-criminal group known as the “OnePercent Group” stating that they have been targeting U.S. companies in ransomware attacks since November 2020. They also shared information regarding the tactics, techniques, procedures (TTP), mitigation measures and indicators of compromise.

OnePercent group’s infection process begins in the victim’s inbox by using a threat emulation software called Cobalt Strike to implement the ransomware attack. Threat actors often use a phishing email with an attachment zip file containing a Microsoft Word or Excel file to infect the victim’s system with the IcedID banking trojan virus and installs the Cobalt Strike on compromised endpoints to move throughout the network.

Once OnePercent accesses the victim’s computer, they will encrypt their data and exfiltrate it from the network using rclone and leave a virtual ransom note informing the victim that they have one week to contact the ransomware group. The FBI warns that threat actors usually begin their extortion process with a warning, then it moves from a partial leak to a full leak of the victim’s data.

Before deploying the ransomware payload, OnePercent will maintain access to the victim’s network up to a month exfiltrating and encrypting the files using a random eight-character extension and add uniquely named ransom notes with a link to the group’s .onion website. The threat actors will contact the victim through email and telephone threatening to release a small portion of the stolen data through The Onion Router (TOR) network and clearnet unless the victim pays the ransom in bitcoin. The victims can receive more information on the demanded ransom and technical support through the Tor website and a decryption key will be provided after 48 hours of the ransom payment.

If the victims refuse to pay the ransom after the initial “one percent leak”, OnePercent threatens to sell their data at an auction to the Sodinokibi (REvil) ransomware group.

With new types of ransomware groups emerging and becoming more active in the threat landscape, it’s crucial for US companies to move data back-ups offline and implement multi-factor authentication measures among employees to precious assets protected. Threat actors are always looking for innovative ways to infiltrate your company’s network, but with SpearTip’s Security Operations Center as a Service, a dedicated team of certified engineers will continuously monitor your network and provide a rapid response to intrusions.

Our engineers work in tandem with ShadowSpear, our endpoint detection and response tool, to detect threats early and prevent them from accessing your network. ShadowSpear also contains a customized dashboard that tracks threats in real-time and gives our clients direct access to our certified engineers.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.