The FBI and Cybersecurity and Infrastructure Security Agency warned that the OnePercent ransomware group has been launching attacks on U.S. companies since November.
OnePercent compromises victims through phishing emails that have an attachment, according to an Aug. 23 alert. Once the attachment is opened, the system is infected with IcedID and Cobalt Strike software is downloaded. Cobalt Strike moves laterally through the network, allowing the hackers to encrypt the data and remove it from the victim's systems.
Five things to know:
- The hackers contact the victims through telephone or email and threaten to release the stolen data unless a ransom is paid using The Onion Router. TOR is a website used to communicate the ransom amount, provide technical support and negotiate with the victims through an online chat function.
- The victims are instructed to pay the ransom to a Bitcoin address and are told that a decryption key will be provided 24-48 hours after payment
- If the victim doesn't contact OnePercent within one week of the infection, the group follows up with emails and phone calls stating the data will be leaked. The hackers threaten the data will be leaked on various clearnet websites.
- If the victims do not pay the ransom in full after the group leaked some of the stolen data, OnePercent claims all of the data will be leaked online.
- The hacker group uses Amazon Web Services S3 cloud, IcedID, Cobalt Strike, Powershell, Rclone, Mimikatz, SharpKatz, BetterSafetyKatz and SharpSploit to attack victims. The FBI emphasized that some of the applications traditionally support legitimate services.