image courtesy, The Hacker News
The OnePercent Group as mentioned by the FBI in the Flash alert, is a criminal organisation that uses ransomware attacks against US companies to gain unauthorized access to their systems. The group has been actively practicing its malicious activities in the US since at least November 2020.
According to the report, OnePercent Group actors generally entangle their prey by using phishing mails that contain malicious attachments or documents, which on opening drops an IcedID1 banking Trojan in the victim’s system. After infecting the system the malware is used to install Cobalt Strike on compromised networks, which moves laterally to other systems in the environment, primarily with PowerShell remoting.
The group actors infiltrate the victim’s device and encrypt the data using eight character extensions and exfiltrate it from the system. The actors observe the data and movement of the victims approximately for one month prior to the deployment of ransomware, the FBI mentions.
image courtesy, Technadu.com
After infecting and gathering all the data of the user, the group tries to communicate and inform them about the attack through some ransom notes, which generally says to contact the group via telephone, by email or proton mails provided in the notes. OnePercent threatens to leak the stolen data through “The Onion Router” (TOR) and clearnet or sell it to Sodinokibi Group to publish the data in an auction unless the ransom is paid in virtual currency; the FBI mentioned this in their flash alert. The group first starts by giving their prey some warning and progress with “one percent leak” of their data and finally leak the full data if the payment is not done.
On the information gathered by bleeping computer, these threat actors have formed a type of cartel with other ransomware groups like REevil, Maze and LockBit for mutual benefits. They share information and work together for extortion of ransom.
The FBI recommended some mitigation such as backing up data offline, ensuring administrators not using “admin approval’ mode, implementing Microsoft LAPS, etc. The FBI also encourages the recipients of flash alert to report information concerning suspicious activity to their local FBI field office.