The FBI has shared information about the OnePercent hacker group, which has been actively attacking American organizations since at least November 2020, partnering with many Ransomware-as-a-Service ransomware.
The ransomware “affiliate programs” are very simple: malware developers deal directly with malware and payment sites, and their hired “partners” hack victims’ networks and encrypt end devices. As a result, the ransoms received from the victims are distributed between the authors of the ransomware and their “partners”, with the latter usually receiving 70-80% of the total.
The FBI reports that OnePercent typically uses the following tactics in its attacks:
- uses phishing emails to infect victims with the IcedID Trojan;
- uses the IcedID trojan to deploy additional payloads on infected networks;
- uses Cobalt Strike to move laterally around the victim’s net;
- uses RClone to steal confidential data from the victim’s servers;
- encrypts data and demands a ransom;
- calls or e-mails its victims to threaten to force victims to pay a ransom (otherwise, hackers threaten to release the stolen information).
Overall, the OnePercent toolkit includes AWS S3, IcedID, Cobalt Strike, Powershell, Rclone, Mimikatz, SharpKatz, BetterSafetyKatz, SharpSploit, and so on.
Although the FBI does not disclose which ransomware OnePercent is cooperating with, its own information security sources told The Record that the group has long been cooperating with the ransomware operators REvil (Sodinokibi), Maze and Egregor. In addition, the domain names used by the hackers to host the IcedID Trojan are also linked to Maze and Egregor, according to a report from FireEye, which tracks OnePercent under the codename UNC2198.
Catch up on more stories here
Follow us on Facebook here