The threat actor has been targeting US companies in dual extortion attacks since fall of last year.

3 Min Read
Source: Andrey_Popov via Shutterstock

A ransomware operator calling itself the OnePercent group has been attacking US companies since at least November 2020 using the Cobalt Strike post-exploit toolkit and remote PowerShell commands to move laterally on compromised networks.

In an advisory this week, the FBI described the group as using phishing emails with a malicious zip-file attachment as an initial infector vector. The file has typically included a Microsoft Word or Excel document with malicious macros that infect systems with IcedID, a known banking Trojan. The Trojan (which some vendors refer to as BokBok) then downloads additional malware, including Cobalt Strike, on the compromised system.

As has become common with ransomware operators these days, the OnePercent group's attacks have involved double-extortion attempts. The group not only encrypts data but also exfiltrates it and uses the threat of public exposure of the data as additional leverage to try and extract money from victims. Among the tools and infrastructure that the FBI listed the group as using in its campaign are AWS S3 storage buckets, PowerShell, Cobalt Strike, Mimikatz, SharpSploit, and SharpKatz. Many of these are dual-use tools that can be used for legitimate as well as malicious purposes.

The OnePercent group's modus operandi has involved leaving a note on compromised systems informing victims that their data has been both encrypted and stolen. The note instructs the victim organization to contact the threat group via the Tor communication channel to arrange for the ransom payment. If the victim doesn't respond in a week, the attackers switch to contacting them persistently via phone using spoofed numbers and demanding to speak with the company's ransom negotiator. 

If a victim doesn't respond to the phone calls, the threat actor sends an email from a ProtonMail email address threatening to publicly release the victim's stolen data, the FBI said.

One Percent "Leak"
A continued failure to respond or to make the ransom payment within the stipulated time frame results in the attacker releasing a portion of the stolen data — a "one percent leak" — as proof of intent and capability. That move is then followed by another threat to sell the stolen data in full to rival ransomware operator the Sodinokibi Group (aka REvil), which in turn will auction the data to the highest bidder. 

"OnePercent group actors' extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data," the FBI said in its advisory.

This ransomware gang is yet another in a seemingly never-ending number of new players in the ransomware scene. Security researchers have attributed the rapidly growing number of players in the space to the easy availability of ransomware-as-a-service (RaaS) operations such as DarkSide, REvil, LockBit, and Netwalker. RaaS offerings — where an operator leases out the use of their ransomware tool and infrastructure in exchange for a portion of ransom payouts — have allowed even novice attackers to deploy relatively sophisticated malware against targets of their choice.

Why Now?
Alec Alvarado, threat intelligence team lead at Digital Shadows says the FBI's reason for releasing an advisory on the OnePercent group's operation is not clear. "It is certainly interesting to ponder why the FBI chose the OnePercent group to release a Flash about, as the group doesn't necessarily appear to sway significantly from known ransomware tactics," Alvarado says. 

One likelihood is that the FBI suspects increased activity by the group. Or it was motivated by the limited reporting on the group's activities within the industry so far, he says.

Regardless of the FBI's motive, the OnePercent ransomware group's operations are another example of the cooperation that exists between some ransomware groups. Alvarado notes. "Based on the [indicators of compromise] released in the FBI Flash," he says, "OnePercent appears to relate in some fashion to the threat actor tracked as UNC2198, reportedly known to distribute either the Maze or Egregor ransomware."

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights