This new, aggressive ransomware group also uses Cobalt Strike to move laterally across the network. Credit: Getty Images The FBI is warning companies that a ransomware group calling itself OnePercent or 1Percent is leveraging the IceID Trojan and the Cobalt Strike backdoor to gain a foothold inside networks. Like many other high-profile ransomware groups, OnePercent both encrypts and steals corporate data, threatening victims to release or auction the information if the ransom is not paid.The ransomware group has been active since at least November 2020 and has hit companies in the United States. Its members are aggressive in seeking the ransom, calling victims using spoofed telephone numbers and actively emailing them if they don’t respond to the initial ransom note after one week.Phishing leads to IceID and Cobalt StrikeThe OnePercent group relies on the IceID Trojan for initial access into networks. IceID was originally designed to steal online banking credentials, but like many other so-called banking Trojans, it expanded into an access platform for ransomware groups. Similar relationships have been observed in the past between TrickBot banking Trojan and the Ryuk ransomware group, the Dridex Trojan and WastedLocker or Gootkit and REvil (Sodinokibi). IceID is distributed through phishing emails that carry malicious zip attachments. The zip archives contain Word documents with malicious macros that, if allowed to execute, download and install IceID. Following this initial infection, the attackers deploy Cobalt Strike, a commercial penetration testing agent that has become popular with many cybercriminals in recent years. Cobalt Strike is used to provide backdoor access to infected systems and move laterally through the network using PowerShell scripts.The OnePercent toolsetBefore encrypting data, the OnePercent attacks can spend a lot of time inside the victim’s network, expanding their access and exfiltrating interesting data they find. “The actors have been observed within the victim’s network for approximately one month prior to deployment of the ransomware,” the FBI said in an alert published Monday. During this time, they use a variety of open-source tools including the credential dumping program MimiKatz and the associated SharpKatz and BetterSafetyKatz, the SharpSploit post-exploitation library written in .NET and the rclone command-line utility. Rclone allows managing files on cloud services, and in this case it’s used to exfiltrate data from victims. The FBI advises companies to add the hashes for the various rclone binaries to their malware detection programs.Aggressive extortionThe OnePercent group’s ransom note directs victims to a website hosted on the Tor anonymity network where they can see the ransom amount and contact the attackers via a live chat feature. The note also includes a Bitcoin address where the ransom must be paid.If victims do not pay or contact the attackers within one week, the group attempts to contact them via phone calls and emails sent from ProtonMail addresses. “The actors will persistently demand to speak with a victim company’s designated negotiator or otherwise threaten to publish the stolen data,” the FBI said. “When a victim company does not respond, the actors send subsequent threats to publish the victim company’s stolen data via the same ProtonMail email address.” The extortion has different levels. If the victim does not agree to pay the ransom quickly, the group threatens to release a portion of the data publicly and if the ransom is not paid even after this, the attackers threaten to sell the data to the REvil/Sodinokibi group to be auctioned off.Aside from the REvil connection, OnePercent might have been tied to other ransomware-as-a-service (RaaS) operations in the past too. Some of the OnePercent indicators of compromise and techniques published in the FBI advisory overlap IoCs published by FireEye in February for a group tracked as UNC2198.Based on FireEye’s analysis, UNC2198 intrusions go as far back as June 2020 and also involve the deployment of Maze and Egregor ransomware. OnePercent could therefore be what is known in the ransomware ecosystem as an affiliate—a group that handles the victim compromise and distribution of ransomware and shares part of the profit with the ransomware program’s creators. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe