The Federal Bureau of Investigation’s Cyber Division has issued a flash warning over an organized cyber-criminal gang contacting by itself OnePercent Team.
In a TLP: WHITE alert revealed Monday, the FBI said the group has been focusing on businesses in the United States since November 2020.
OnePercent’s modus operandi is to use the risk emulation application Cobalt Strike to perpetuate ransomware attacks. The infection method starts in the victim’s inbox.
“OnePercent Group actors compromised victims as a result of a phishing email in which an attachment is opened by the consumer,” states the FBI warning. “The attachment’s macros infect the program with the IcedID banking trojan.”
The malicious attachment seems as a zip file that contains a Microsoft Term or Excel doc. The moment activated, the banking trojan downloads further software package onto the victim’s computer, which includes Cobalt Strike, which the FBI said “moves laterally in the network, mainly with PowerShell taking away.”
Soon after accessing a victim’s computer, OnePercent encrypts their details and exfiltrates it from the network utilizing rclone. A virtual ransom note is remaining that tells the victim they have a person week from the date of infection to make get in touch with with the ransomware group.
“OnePercent Team actors’ extortion strategies often start off with a warning and development from a partial leak of details to a comprehensive leak of all the victim’s exfiltrated data,” warned the FBI.
If no call is created, the group contacts the sufferer by using a ProtonMail email address or in excess of the phone making use of spoofed phone numbers. Victims are informed that a little portion of their details will be leaked as a result of The Onion Router (TOR) network and clearnet, unless of course a ransom payment is manufactured.
Need to a victim refuse to pay up just after this first “1 p.c leak,” the ransomware team threatens to market their facts to the ransomware gang Sodinokibi (REvil) to publish at an auction.
The FBI stated that OnePercent Team risk actors have been spotted moving into a victim’s network all over a thirty day period just before ransomware is deployed.
US companies are urged by the FBI to back again-up their critical information offline and use multi-factor authentication with potent passphrases to guard themselves from ransomware attacks.
Some elements of this write-up are sourced from: