In coordination with DHS-CISA, the FBI recently published a flash alert warning the public against the OnePercent Group ransomware gang that has been found targeting US organizations since at least November 2020. This alert is only the latest in a series of high-profile ransomware incidents, partly spurred on in the wake of the COVID-19 pandemic.
The flash alert contains detailed information on the Indicators of Compromise (IoCs) and the common tactics, techniques, and procedures (TTPs) used to help organizations and cybersec professionals detect and counteract ransomware attacks by this group.
While this flash alert is sure to be helpful, it again illustrates the need for organizations to be proactive when securing their infrastructure against ransomware attacks as new “strains” are often only officially identified and addressed months after being deployed in the wild.
Developing an effective response capability to ransomware requires taking specific steps for prevention, preparation, detection, verification, containment, eradication, and recovery. With LIFARS Ransomware Response Package, you will have the tools, processes, and team at your disposal to stand ready for even the most devious ransomware attack.
How does the OnePercent Ransomware Attack Work?
Like many other ransomware attacks, the OnePercent Group perpetuates its ransomware software by attaching it to phishing emails sent to unsuspecting victims (typically in the form of a Microsoft Word or Excel document). The ransomware itself utilizes Cobalt Strike, a legitimate ransomware detection tool now seeing widespread use as crimeware. In turn, Cobalt Strike utilizes some of the features from other commonly used malware such as Mimikatz and Metasploit.
In the FBIs own words: “The attachment’s macros infect the system with the IcedID1 banking trojan. IcedID downloads additional software to include Cobalt Strike. Cobalt Strike moves laterally in the network, primarily with PowerShell remoting. “
From there, the ransomware encrypts and exfiltrates data from the victims’ systems. Then, the OnePercent Group contact victims via phone and email, demanding a ransom in virtual currency and threatening to expose the information on The Onion Router (TOR) network and clearnet if their demands aren’t met.
The trend of ransomware gangs not only encrypting, but also exfiltrating and threatening to expose, sensitive information has been gaining ground in recent years.
What are the IoCs and TTPs to look out for?
Despite being a relatively new threat, the common steps involved in a OnePercent Group ransomware attack are well-documented by the FBI:
Leak Warning: Soon after infiltrating access to a victim network, OnePercent Group actors leave a ransom note stating the data has been encrypted and exfiltrated. This is followed by subsequent communications threatening the victims to pay up or have their data leaked.
One Percent Leak: The threat actors release a portion of the data (aka “one percent”) to various clearnet sights if the ransom is not paid promptly.
Full leak: If the victim refuses or further delays paying the ransom, the One Percent Group threatens to sell the stolen data to the Sodinokibi Group to publish at an auction.
Furthermore, these are a list of applications and tools frequently utilized by the OnePercent Group in carrying out their attacks:
AWS S3 cloud
- Cobalt Strike
- Some of the other easily identifiable IoCs to look out for are:
- Encrypted files with extensions that consist of a random 8-character string (e.g., “.dZCqciAv”)
- A ransom note named with the same 8-character string + “-readme.txt”
- Observed malware filename: %TEMP%\Temp1_request.zip\[FILENAME].doc and %PROGRAMDATA%\vexby.txt
- TOR URL: http://5mvifa3xq5m7sou3xzaajfz7h6eserp5fnkwotohns5pgbb5oxty3zad. Onion
- You can find a full list of associated URLs, addresses, and hashes in the Flash Alert.
How to mitigate OnePercent Group Ransomware attacks
In terms of mitigation, the FBI recommend being on the lookout for the following commonly used rclone hashes:
Other than that, concerned parties should continue maintaining proper cybersecurity hygiene and best practices, such as:
- Securely back-up critical data offline and make cloud, offline, and airlocked copies of essential data.
- Avoid using “Admin Approval” mode and audit admin user accounts
- Implement Microsoft LAPS
- Warn and educate employees about phishing attacks and use effective email filtering techniques from external sources
- Keep computers, devices, and software patched and up-to-date
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
- Implement network segmentation
- Use multi-factor authentication and strong passwords