US businesses under attack from OnePercent Ransomware Group, says FBI

Published 9/1/2021, 9:30am

Last week the FBI issued a ‘Flash Alert’, sharing information on a cybercriminal gang known as OnePercent. The alert warned that the gang has been actively targeting US businesses with ransomware since at least November 2020. 

The tactics, techniques, and procedures (TTPs) used by OnePercent include compromise via phishing emails and malicious attachments. The attachment’s macros infect the system with the IcedID banking trojan. The trojan then downloads additional software including Cobalt Strike to enable lateral network movement and remote access.

According to the FBI, the criminal gang encrypts the data and exfiltrates it from the victim’s systems, followed by threats delivered via phone and email. OnePercent tactics typically include a warning, followed by a partial data leak and eventually a full leak if the ransom is not paid. The criminals also threaten to sell the data to the Sodinokibi Group, a Russia-based ransomware-as-a-service gang (also known as REvil).

Next Steps

Because the criminal gang is using the Rclone program in their attacks, the FBI is advising that affected organizations be aware of certain hashes associated with Rclone. In addition, the FBI and security professionals are advising businesses to:

• Back-up critical data offline.
• Use Email Security
• Ensure administrators are not using “Admin Approval” mode.
• Ensure copies of critical data are stored in the cloud or on an external hard drive or storage device and made inaccessible from the compromised network. 
• Secure backups and ensure backup data is not accessible for modification or deletion from the system where it resides.
• Keep computers, devices, and applications patched and up to date.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
• Institute Zero Trust policies.
• Implement network segmentation.
• Use multi-factor authentication with strong passphrases.