Getty Images
FBI Warns of OnePercent Group Ransomware in New Flash Alert
The FBI’s latest flash alert warns of OnePercent Group ransomware, a hacker organization that uses phishing emails to infect networks and encrypt data.
The FBI issued a flash alert warning organizations about OnePercent Group, a hacker organization that deploys ransomware through phishing emails. The group has been a known threat since November 2020.
The ransomware group infects networks with the IcedID1 banking trojan using Cobalt Strike and moves laterally throughout the network with PowerShell remoting.
OnePercent Group tend to execute extortion tactics over telephone and email, threatening to release stolen data unless a ransom is paid. The group consistently begins its attack with a warning and a partial data leak to encourage the victim to pay the ransom. OnePercent Group leaks stolen data through The Onion Router (TOR) network and clearnet.
The FBI outlined the steps that OnePercent Group typically takes over the course of the ransomware attack:
- Leak Warning: After initially gaining access to a victim network, OnePercent Group actors leave a ransom note stating the data has been encrypted and exfiltrated. The note states the victim needs to contact the OnePercent Group actors on TOR or the victim data will be leaked. If the victim does not make prompt communication within a week of infection, the OnePercent Group actors follow up with emails and phone calls to the victim stating the data will be leaked.
- One Percent Leak: If the victim does not pay the ransom quickly, the OnePercent Group actors threaten to release a portion of the stolen data to various clearnet websites.
- Full Leak: If the ransom is not paid in full after the “one percent leak”, OnePercent Group actors threaten to sell the stolen data to the Sodinokibi Group2 to publish at an auction.
The ransom notes are typically uniquely named and always provide a link to the TOR website. Victims communicate with the group through a TOR browser and are instructed to provide payment through Bitcoin.
The American Hospital Association (AHA) issued a statement about the flash alert warning healthcare organizations to stay vigilant.
“The relatively low profile OnePrecent ransomware group is using common tactics such as phishing emails for initial compromise, then common technical tools such as Cobalt Strike and Powershell to spread the ransomware throughout the victim network,” John Riggi, AHA senior advisor for cybersecurity and risk said in the statement.
“As we have seen several high-impact ransomware attacks targeting hospitals and health systems since Aug. 2, I recommend that any and all ransomware alerts issued by the government be given special attention. I and the AHA are closely coordinating with FBI, the Cybersecurity & Infrastructure Security Agency and HHS to exchange information relevant to ransomware attacks for the benefit of the field.”
Another recent FBI flash alert warned of Hive ransomware, the group responsible for a massive cyberattack on Memorial Health System in mid-August that resulted in EHR downtime and appointment cancellations.
Hive ransomware was first detected in June 2021 and usually uses phishing emails to infiltrate networks.
CISA recently released a fact sheet outlining steps organizations can take to prevent ransomware attacks, respond to a data breach, and protect personally identifiable information (PII). The fact sheet urged organizations to report cybersecurity incidents to authorities and avoid paying a ransom to cyber criminals.