Yesterday, the FBI issued an alert that provided information about a threat actor named “OnePercent Group” that has been actively targeting US organizations with ransomware attacks since November 2020. The alert includes an overview of the attack, IOCs and attacker techniques used, and mitigation recommendations. The IOCs mentioned in the alert also show up in a previous FireEye report on UNC2198 as well as a May 2021 report by Team Cymru on IcedID infrastructure.
In this blog, we will summarize the ransomware flow, list out some recurring attacker tradecraft that our threat research team has observed in other scams, and compile useful links you can visit to keep up to date with news about this ransomware.
OnePercent Group Ransomware
This ransomware campaign began with phishing emails that contained attachments with malicious macros that infected the users’ systems with the IcedID banking trojan. IcedID downloaded additional software that includes Cobalt Strike, which moved laterally through networks with PowerShell remoting.
The attackers then lurked in victim systems for upto a month to exfiltrate data before deploying the ransomware. The victims were contacted via telephone and email with ransom demands and threats to leak the exfiltrated data if the ransoms were not paid.
The FBI alert will no doubt have follow-ups and additional intelligence that will be shared with the community over the coming days. From what is known so far, we are listing out tradecraft employed in this attack and sharing similar techniques observed by the Armorblox threat research team in other phishing campaigns.
Phishing emails and workflow compromise
The ransomware not only started with phishing emails, but also replicated known business workflows i.e. including Microsoft Word and Excel files as attachments. By making the emails look like legitimate emails people get many times a day, the attackers assumed that victims would employ ‘System 1’ thinking and take quick action.
Exploiting legitimate software, tools, and infrastructure
The FBI shared a list of tools the OnePercent Group used in this ransomware attack, and it included plenty of legitimate software like AWS S3 Cloud, PowerShell, and ProtonMail.
We have repeatedly observed threat actors hijacking legitimate (and often free) online services and using them within phishing flows. Other online solutions that have been exploited include Typeform in tax scams, Quip in attacks impersonating shipping companies, and Google Sites to host fake login pages.
Using legitimate software in cyberattacks can have multiple uses, whether it’s to lend attackers anonymity, make traceability more difficult, or trick security controls into believing that unusual behavioral patterns are in fact not unusual.
An omni-channel attack
This attack started with an email, continued on the victim’s system and network, and then moved to phone and email again when the time came to make the ransom demand. The attackers used ProtonMail to reduce traceability, but the spoof phone numbers used in this attack are particularly noteworthy.
Our threat research team has observed multiple vishing campaigns over the past few months that impersonate online shopping companies as well as tech support. Phone numbers are not IOCs that the security community tracks in a structured, shareable manner right now (and might never be, due to the fungibility of phone numbers, the ability to randomly generate numbers through Google Voice, etc.).
Double extortion with a difference
This ransomware campaign employed double extortion techniques, demanding ransoms to restore access to encrypted data as well as threatening to leak the data if the ransoms weren’t paid. However, OnePercent Group employed a more staggered communication approach.
There was initially a ‘leak warning’, where victims were sent a note to contact the attackers via a TOR website. If the victims didn’t respond within a week, the OnePercent Group followed up with emails and phone calls threatening a ‘One Percent Leak’, meaning they would release a portion of the exfiltrated data to clearnet websites. If the ransom wasn’t paid in full after the ‘One Percent Leak’, the attackers threatened to sell all the exfiltrated data to publish at an auction.
There will surely be more updates on this ransomware campaign in the days and weeks to come. We would advise bookmarking the FBI’s cybercrime news page for any other ransomware-related announcements. BleepingComputer has also covered the attack here.
For more email security news, threat research, and industry trends, join the Armorblox mailing list. If you need assistance in measuring your ransomware response readiness, download our Ransomware Incident Response Blueprint that has 10 ready-to-use templates, tools, and Visio diagrams to help you start your ransomware response journey.