The Federal Bureau of Investigation (FBI) warns companies about the ransomware group “OnePercent” (or 1Percent) which is leveraging both the IceID Trojan and Cobalt Strike backdoor to get itself inside networks.
OnePercent encrypts and steals corporate data, then threatens victims to auction or release the information if the ransom is not paid (as most high-profile ransomware groups do).
What Is Known About the OnePercent Group?
This ransomware group seems to be active since November 2020, with US companies being their prime target of aggressive-seeking members who call victims through spoofed phone numbers and actively email them ProtonMail addresses if no answer is received after one week.
Their ransom note directs victims to a Tor-hosted website (anonymous network) where the ransom amount is displayed with a Bitcoin address where it must be paid, as well as a live chat feature to contact the attack group.
According to the FB: “The actors will persistently demand to speak with a victim company’s designated negotiator or otherwise threaten to publish the stolen data.
What happens after that first week’s threats? Well, the OnePercent group releases a portion (1%, which is where the group seemingly gets its name from) on the dark web If payment is not made quickly.
They also sell the exfiltrated data to the REvil cybercrime group to be auctioned off to the highest bidder.
“The Record” explains why this happens. This group works as a ransomware-as-a-service affiliate, meaning they partner with other ransomware groups like REvil, Maze, and Egregor.
How Does the OnePercent Ransomware Works?
As it was mentioned, the OnePercent group relies on a IceID Trojan to geti nto networks.
For those who don’t know, such “IceID” was designed to steal online banking credentials but it expanded into an “access platform” for many ransomware groups. Similar tactics have been used by the have Ryuk and REvil ransomware groups, with TrickBot and Dridex Trojans.
But how exactly does the IceID works?
It is distributed through phishing emails carrying malicious zip attachments, with Word documents possessing malicious macros. When executed, they will download and install IceID.
The attackers will deploy the commercial penetration testing agent “Cobalt Strike” following the infection. This one is used for backdoor access on infected systems and lateral network navigation using PowerShell scripts.
What makes this infection extremely dangerous for your company, is how fast it can expand inside your network and exfiltrate data (even one month prior to the ransomware deployment) before its encryption.
It makes use of open-source tools as MimiKatz (credential dumping program), SharpKatz and BetterSafetyKatz, the SharpSploit (post-exploitation library written in .NET) and the rclone command-line utility, during this time.
The latest allows file managing on cloud services.
How to Protect Your Company from the OnePercent Ransomware
The FBI provided some recommendations aside from ensuring the proper configuration of anti-virus and detection products.
- Back up vital data offline (on an external hard drive or storage device)
- Add hashes for various rclone binaries to their malware detection programs.
- Confirm administrators aren’t using the “Admin Approval” mode.
- If possible, implement Microsoft LAPS.
- Implement network segmentation.
- Ensure data is not accessible for modification or deletion from the system where original data resides.
- Keep an eye on patch updates for computers, devices, and applications.
- Add an email banner to emails received from outsiders.
- Disable Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
- Audit user accounts with administrative privileges and configures access controls.
- Use multi-factor authentication, along with strong passphrases.
Does any or most of the previous safety measures look too complex for you and your team?
Unfortunately, there’s a lot more to do if you want to keep your business safe from gangs like the OnePercent.
Don’t worry – we can handle it.
Our services range from remote and emergency IT support to malware removal.
Don’t you know where to start?
Submit a ticket and we’ll take care of your personalized request.