This new, aggressive ransomware group also uses Cobalt Strike to move laterally across the network. Credit: Getty Images The FBI is warning companies that a ransomware group calling itself OnePercent or 1Percent is leveraging the IceID Trojan and the Cobalt Strike backdoor to gain a foothold inside networks. Like many other high-profile ransomware groups, OnePercent both encrypts and steals corporate data, threatening victims to release or auction the information if the ransom is not paid.The ransomware group has been active since at least November 2020 and has hit companies in the United States. Its members are aggressive in seeking the ransom, calling victims using spoofed telephone numbers and actively emailing them if they don’t respond to the initial ransom note after one week.Phishing leads to IceID and Cobalt StrikeThe OnePercent group relies on the IceID Trojan for initial access into networks. IceID was originally designed to steal online banking credentials, but like many other so-called banking Trojans, it expanded into an access platform for ransomware groups. Similar relationships have been observed in the past between TrickBot banking Trojan and the Ryuk ransomware group, the Dridex Trojan and WastedLocker or Gootkit and REvil (Sodinokibi). IceID is distributed through phishing emails that carry malicious zip attachments. The zip archives contain Word documents with malicious macros that, if allowed to execute, download and install IceID. Following this initial infection, the attackers deploy Cobalt Strike, a commercial penetration testing agent that has become popular with many cybercriminals in recent years. Cobalt Strike is used to provide backdoor access to infected systems and move laterally through the network using PowerShell scripts.The OnePercent toolsetBefore encrypting data, the OnePercent attacks can spend a lot of time inside the victim’s network, expanding their access and exfiltrating interesting data they find. “The actors have been observed within the victim’s network for approximately one month prior to deployment of the ransomware,” the FBI said in an alert published Monday. During this time, they use a variety of open-source tools including the credential dumping program MimiKatz and the associated SharpKatz and BetterSafetyKatz, the SharpSploit post-exploitation library written in .NET and the rclone command-line utility. Rclone allows managing files on cloud services, and in this case it’s used to exfiltrate data from victims. The FBI advises companies to add the hashes for the various rclone binaries to their malware detection programs.Aggressive extortionThe OnePercent group’s ransom note directs victims to a website hosted on the Tor anonymity network where they can see the ransom amount and contact the attackers via a live chat feature. The note also includes a Bitcoin address where the ransom must be paid.If victims do not pay or contact the attackers within one week, the group attempts to contact them via phone calls and emails sent from ProtonMail addresses. “The actors will persistently demand to speak with a victim company’s designated negotiator or otherwise threaten to publish the stolen data,” the FBI said. “When a victim company does not respond, the actors send subsequent threats to publish the victim company’s stolen data via the same ProtonMail email address.”The extortion has different levels. If the victim does not agree to pay the ransom quickly, the group threatens to release a portion of the data publicly and if the ransom is not paid even after this, the attackers threaten to sell the data to the REvil/Sodinokibi group to be auctioned off.Aside from the REvil connection, OnePercent might have been tied to other ransomware-as-a-service (RaaS) operations in the past too. Some of the OnePercent indicators of compromise and techniques published in the FBI advisory overlap IoCs published by FireEye in February for a group tracked as UNC2198.Based on FireEye’s analysis, UNC2198 intrusions go as far back as June 2020 and also involve the deployment of Maze and Egregor ransomware. OnePercent could therefore be what is known in the ransomware ecosystem as an affiliate—a group that handles the victim compromise and distribution of ransomware and shares part of the profit with the ransomware program’s creators. Related content opinion Employee discontent: Insider threat No. 1 CISOs who focus only on detection technology — and don’t engage with the human side of the security equation — are missing a key ingredient for insider risk management. By Christopher Burgess May 21, 2024 7 mins CSO and CISO Threat and Vulnerability Management Human Resources how-to Download the hybrid cloud data protection enterprise buyer’s guide From the editors of our sister publication Network World, this enterprise buyer’s guide helps network and security IT staff understand the issues their organizations face around protecting corporate data in a hybrid cloud environment and how to By Neal Weinberg May 20, 2024 1 min Cloud Security Data and Information Security Enterprise Buyer’s Guides news analysis Global stability issues alter cyber threat landscape, ESET reports With conflict on the rise, regional APT groups are increasing activity, altering focus, and putting specific industries in their crosshairs. Here’s what CISOs should know. By Evan Schuman May 20, 2024 4 mins Advanced Persistent Threats Cyberattacks Threat and Vulnerability Management feature The inside story of Cyber Command’s creation Cartoons, Starbucks cards, and Hollywood storyboards: The ‘Four Horsemen of Cyber’ — CISA’s Jen Easterly, Lt. Gen. S.L. Davis, retired US Navy Vice Admiral T.J. White, and former NSA chief Paul Nakasone — revealed at RSA By Cynthia Brumfield May 20, 2024 8 mins Aerospace and Defense Industry CSO and CISO Military PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe