FBI finds cybercrime group has targeted US firms since November last year

The FBI has discovered that the OnePercent ransomware gang has been actively targeting US organisations since November 2020 as a ransomware affiliate.

According to Bleeping Computer, the FBI shared indicators of compromise, tactics, techniques and procedures as well as mitigation measures in a published flash alert earlier this week.

The FBI claimed the group used malicious phishing email attachments that drop banking trojan payload on targets’ systems. Once the trojan has infected victims, the attackers then download and install Cobalt Strike on endpoints to move through the victims’ networks.

Following having access to their victims’ networks for up to a month and exfiltrating files, OnePercent that encrypts files using a random eight-character extension and will add uniquely-named ransom notes linking to its website.

Those who are OnePercent victims will be asked to pay the ransom most of the time in Bitcoin, with a decryption key provided up to 48 hours following the payment.

The FBI said, “The FBI has learned of a cyber-criminal group who self identifies as the ‘OnePercent Group’ and who have used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020.

“OnePercent Group actors encrypt the data and exfiltrate it from the victims’ systems. The actors contact the victims via telephone and email, threatening to release the stolen data through The Onion Router network and clearnet, unless a ransom is paid in virtual currency.

“Once the ransomware is successfully deployed, the victim will start to receive phone calls through spoofed phone numbers with ransom demands and are provided a ProtonMail email address for further communication.

“The actors will persistently demand to speak with a victim company’s designated negotiator or otherwise threaten to publish the stolen data.”

The FBI highlighted that if organisations do not pay the ransom in full, OnePercent group members will threaten to sell the stolen data to the ‘Sodinokibi Group’ to publish at an auction.

Copyright © 2021 FinTech Global

Enjoying the stories?

Subscribe to our daily FinTech newsletter and get the latest industry news & research

Investors

The following investor(s) were tagged in this article.