A relatively new ransomware group identifying as “OnePercent” has found itself in the spotlight of the FBI’s recent Flash Alert, which aims at informing potential victim organizations of how to protect themselves against the threat. According to the FBI, the particular actor has been active in the wild since at least November 2020, abusing the Cobalt Strike tool to establish its foothold onto the target systems. The infection typically starts with a phishing email with a malicious document attachment that drops the IcedID banking trojan.
OnePercent is following the typical approach of exfiltrating the victim’s data, encrypting the local files, and then engaging in extortion. The group is contacting the victims via phone calls and emails to ensure that the incident and the short-term future repercussions are made clear. At the same time, they always let out a small leak immediately as proof that they hold sensitive data. Of course, the compromised machine also has ransom notes containing all the details, and the victim is given one week to respond. If the actors don’t get the ransom payment, they threaten to sell the stolen data to REvil.
The FBI has noticed that OnePercent spends an average of one month on the victim’s network before proceeding with the ransomware deployment, performing reconnaissance and observing the operations to discover any valuable points. Eventually, they exfiltrate the files using ‘rclone’, and then encrypt everything. The file extension that is appended to the encrypted files is the pretty scrambled “.dZCqciAv”.
The alert gives us indicators of compromise, IPs, and domains used by the actors, as well as the file hashes for the rclone tool, so all of these can be used for deploying defenses and mitigations. Apart from that, make sure that you are following a solid backup plan, you are using MFA wherever possible, and that remote access is properly restricted and monitored.
Notably, the IcedID trojan has been previously linked with TA2101, a highly sophisticated actor who also used macro-laced documents to eventually drop ransomware payloads of the Maze and Egregor strains. It wouldn’t be far-fetched to suggest that the two groups are linked, or even the same actor who has changed name. As for the affiliation with REvil, that part remains obscure, but there’s definitely a link as several OnePercent victims who didn’t pay have ended up on the Sodinokibi leak portal.