A ransomware operator calling itself the OnePercent group has been attacking US companies since at least November 2020 using the Cobalt Strike post-exploit toolkit and remote PowerShell commands to move laterally on compromised networks.
In an advisory this week, the FBI described the group as using phishing emails with a malicious zip-file attachment as an initial infector vector. The file has typically included a Microsoft Word or Excel document with malicious macros that infect systems with IcedID, a known banking Trojan. The Trojan (which some vendors refer to as BokBok) then downloads additional malware, including Cobalt Strike, on the compromised system.
As has become common with ransomware operators these days, the OnePercent group's attacks have involved double-extortion attempts. The group not only encrypts data but also exfiltrates it and uses the threat of public exposure of the data as additional leverage to try and extract money from victims. Among the tools and infrastructure that the FBI listed the group as using in its campaign are AWS S3 storage buckets, PowerShell, Cobalt Strike, Mimikatz, SharpSploit, and SharpKatz. Many of these are dual-use tools that can be used for legitimate as well as malicious purposes.
The OnePercent group's modus operandi has involved leaving a note on compromised systems informing victims that their data has been both encrypted and stolen. The note instructs the victim organization to contact the threat group via the Tor communication channel to arrange for the ransom payment. If the victim doesn't respond in a week, the attackers switch to contacting them persistently via phone using spoofed numbers and demanding to speak with the company's ransom negotiator.
If a victim doesn't respond to the phone calls, the threat actor sends an email from a ProtonMail email address threatening to publicly release the victim's stolen data, the FBI said.
One Percent "Leak"
A continued failure to respond or to make the ransom payment within the stipulated time frame results in the attacker releasing a portion of the stolen data — a "one percent leak" — as proof of intent and capability. That move is then followed by another threat to sell the stolen data in full to rival ransomware operator the Sodinokibi Group (aka REvil), which in turn will auction the data to the highest bidder.
"OnePercent group actors' extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data," the FBI said in its advisory.
This ransomware gang is yet another in a seemingly never-ending number of new players in the ransomware scene. Security researchers have attributed the rapidly growing number of players in the space to the easy availability of ransomware-as-a-service (RaaS) operations such as DarkSide, REvil, LockBit, and Netwalker. RaaS offerings — where an operator leases out the use of their ransomware tool and infrastructure in exchange for a portion of ransom payouts — have allowed even novice attackers to deploy relatively sophisticated malware against targets of their choice.
Alec Alvarado, threat intelligence team lead at Digital Shadows says the FBI's reason for releasing an advisory on the OnePercent group's operation is not clear. "It is certainly interesting to ponder why the FBI chose the OnePercent group to release a Flash about, as the group doesn't necessarily appear to sway significantly from known ransomware tactics," Alvarado says.
One likelihood is that the FBI suspects increased activity by the group. Or it was motivated by the limited reporting on the group's activities within the industry so far, he says.
Regardless of the FBI's motive, the OnePercent ransomware group's operations are another example of the cooperation that exists between some ransomware groups. Alvarado notes. "Based on the [indicators of compromise] released in the FBI Flash," he says, "OnePercent appears to relate in some fashion to the threat actor tracked as UNC2198, reportedly known to distribute either the Maze or Egregor ransomware."