The FBI has issued an alert regarding OnePercent Group ransomware attacks and the indicators of compromise (IOCs) associated with them. This alert comes after cybercriminals began using Cobalt Strike threat emulation software to launch these attacks in November 2020.
OnePercent hackers initiate an attack via a phishing email that asks a user to open an attachment, the FBI said. The attachment contains macros that can infect a user's system with the IcedID1 banking trojan.
Furthermore, OnePercent cybercriminals encrypt data and exfiltrate it from victims' systems, the FBI noted. They then contact victims via telephone and email and threaten to release their stolen data unless a ransom is paid in virtual currency.
What to Expect During a OnePercent Ransomware Attack
OnePercent cybercriminals begin ransomware attacks with a warning and progress from a partial leak of a victim's data to a full leak of all exfiltrated data, the FBI indicated. The extortion/data leak often follows these steps:
- Leak Warning: OnePercent hackers gain access to a victim's network, leave a ransom note stating that their data has been encrypted and exfiltrated and threatens to leak this information unless a ransom is paid. If the victim does not respond within a week of infection, OnePercent cybercriminals follow up with the victim and state that their stolen data will be leaked.
- One Percent Leak: If a victim does not pay a ransom, OnePercent cybercriminals threaten to release a portion of their stolen data.
- Full Leak: If a ransom is not paid in full after a "one percent leak," OnePercent cybercriminals threaten to sell the stolen data to the Sodinokibi Group to publish at an auction.
The FBI provides several recommendations to guard against OnePercent ransomware attacks, such as:
- Store copies of critical data in the cloud or on an external hard drive or storage device.
- Secure backups and ensure data is not accessible for modification or deletion from the system where the original data resides.
- Ensure computers, devices and applications are patched and up to date.
- Audit user accounts with administrative privileges and configure access controls accordingly
- Leverage multi-factor authentication with strong passphrases.
In addition, MSSPs can educate their customers about OnePercent ransomware attacks. By doing so, MSSPs can help their customers protect against these attacks and other emerging cyber threats.