Skip to content ↓ | Skip to navigation ↓

What’s happened?

The FBI has published a warning about a ransomware gang called the OnePercent Group, which has been attacking U.S. companies since November 2020.

How are companies being attacked by the OnePercent gang?

The gang emails targeted individuals inside an organization using social engineering tricks to dupe the unwary into opening a malicious Word document contained within an attached ZIP file.

And the attachment encrypts data on the user’s PC?

Not quite. Macros embedded within the document install a modular banking Trojan horse known as IcedID onto the victim’s computer.

IcedID (also sometimes known as BokBot) can steal login credentials for financial institutions as users attempt to access their online bank accounts, but it can also download and drop other malware. One imagines IcedID was deliberately expanded in this fashion to make it more lucrative for cybercriminals.

One of the additional pieces of software that IcedID can download is Cobalt Strike, a penetration testing tool much loved by malicious hackers for the way it can assist the compromise of an organization.

Cobalt Strike moves laterally through the targeted organization, opening the opportunity for remote hackers to exfiltrate sensitive data and leave it encrypted on the corporate victim’s systems. According to the FBI, the criminals have been observed within victims’ networks for “approximately one month prior to the deployment of the ransomware.”

So they could find out a lot about a company in that time…

Yes. Chances are that they would have learnt a great deal about your organization and may have succeeded into accessing highly sensitive data.

And then the company receives a ransom demand?

Yes, the OnePercent Group leaves a ransom note for its victim, explaining that data has been encrypted and stolen. A threat is made to release the data unless the company responds within one week.

And what happens if you are hit by the gang and don’t respond within one week?

Unfortunately, the OnePercent Group doesn’t seem to forget about you. They make contact with tardy victims via email or telephone, applying additional pressure to pay.

Wait. They telephone their victims? Doesn’t that help reveal who they are?

Telephone numbers can be spoofed and hide the true caller, just like email addresses.

And what if the ransom is still not paid up?

If payment is not made quickly, the OnePercent Group threatens to release a portion (1%, which is where the group seemingly gets its name from) on the dark web.

And if the company continues to refuse to pay the ransom?

The OnePercent Group threatens to sell the exfiltrated data to the REvil cybercrime group to be auctioned off to the highest bidder.

What can my company do about this to protect itself?

Aside from ensuring that anti-virus products are configured to detect tools known to be used by the OnePercent Group during the attack and exfiltration of data, the FBI offers a number of additional tips:

  • Back up critical data offline.
  • Ensure administrators are not using “Admin Approval” mode.
  • Implement Microsoft LAPS, if possible.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the original data resides.
  • Keep computers, devices, and applications patched and up to date.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Implement network segmentation.
  • Use multi-factor authentication with strong passphrases.

What else do we know about the OnePercent Group?

Not much. According to The Record, it is a ransomware-as-a-service affiliate, which has worked in the past with other groups such as REvil, Maze, and Egregor.

More details can be found in the FBI advisory.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.