Security Affairs
U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

FBI flash alert warns on OnePercent Group Ransomware attacks

The FBI shared info about OnePercent Group that has been actively targeting US organizations in ransomware attacks since at least November 2020. The Federal Bureau of Investigation (FBI) has published a flash alert about a threat actor known as OnePercent Group that has been actively targeting US organizations in ransomware attacks since at least November 2020. […]

FBI TeamPCP

The FBI shared info about OnePercent Group that has been actively targeting US organizations in ransomware attacks since at least November 2020.

The Federal Bureau of Investigation (FBI) has published a flash alert about a threat actor known as OnePercent Group that has been actively targeting US organizations in ransomware attacks since at least November 2020.

The alert includes tactics, techniques, and procedures (TTP), along with indicators of compromise related to group.

The flash alert also provides mitigation measures.

“The FBI has learned of a cyber-criminal group who self identifies as the “OnePercent Group” and who have used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020. OnePercent Group actors compromise victims through a phishing email in which an attachment is opened by the user. The attachment’s macros infect the system with the IcedID1 banking trojan. IcedID downloads additional software to include Cobalt Strike. Cobalt Strike moves laterally in the network, primarily with PowerShell remoting. OnePercent Group actors encrypt the data and exfiltrate it from the victims’ systems. The actors contact the victims via telephone and email, threatening to release the stolen data through The Onion Router (TOR) network and clearnet, unless a ransom is paid in virtual currency.” reads the alert published by the FBI and published by BleepingComputer. “OnePercent Group actors’ extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data.”

The group leverages phishing messages that use attachments that drop IcedID banking trojan payload on the targets’ systems. The Trojan in used to drop and install Cobalt Strike on the infected system and use it for lateral movement throughout the victims’ networks.

The threat actors have been observed remaining within the victim’s network for approximately one month during which they exfiltrate documents prior to encrypt files with the ransomware payloads.

“Once the ransomware is successfully deployed, the victim will start to receive phone calls through spoofed phone numbers with ransom demands and are provided a ProtonMail email address for further communication. The actors will persistently demand to speak with a victim company’s designated negotiator or otherwise threaten to publish the stolen data.” continues the alert. “When a victim company does not respond, the actors send subsequent threats to publish the victim company’s stolen data via the same ProtonMail email address.”

OnePercent group encrypts files and appends to their filenames a random eight-character extension (e.g., dZCqciA) and will add uniquely named ransom notes that includes reference to the .onion website operated by the threat actors.

This onion website is used to communicate the ransom amount and provide technical support to the victims that could also use it to negotiate via an online chat functionality implemented by the service.

The group accepts Bitcoin for payments, decryption key will be provided in 24-48 hours after payment.

The group use multiple applications and services in its operations, includeìing AWS S3 cloud, IcedID, Cobalt Strike, Powershell, Rclone, Mimikatz, SharpKatz, BetterSafetyKatz, SharpSploit.

“While the FBI hasn’t provided any information on OnePercent Group’s past attacks, two of the command-and-control servers mentioned in FBI’s IOC list (golddisco[.]top and june85[.]cyou) also shows up on FireEye’s report on the UNC2198 threat actor who ICEDID to deploy Maze and Egregor ransomware.” reported BleepingComputer.

Below recommendations provided by the FBI:

  • Back-up critical data offline.
  • Ensure administrators are not using “Admin Approval” mode.
  • Implement Microsoft LAPS, if possible.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the original data resides. • Keep computers, devices, and applications patched and up-to-date.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Implement network segmentation. • Use multi-factor authentication with strong passphrases.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FBI)

[adrotate banner=”5″]

[adrotate banner=”13″]