OnePercent ransomware group hits companies via IceID banking Trojan

The FBI is warning companies that a ransomware group calling itself OnePercent or 1Percent is leveraging the IceID Trojan and the Cobalt Strike backdoor to gain a foothold inside networks. Like many other high-profile ransomware groups, OnePercent both encrypts and steals corporate data, threatening victims to release or auction the information if the ransom is not paid.

The ransomware group has been active since at least November 2020 and has hit companies in the United States. Its members are aggressive in seeking the ransom, calling victims using spoofed telephone numbers and actively emailing them if they don’t respond to the initial ransom note after one week.

Phishing leads to IceID and Cobalt Strike

The OnePercent group relies on the IceID Trojan for initial access into networks. IceID was originally designed to steal online banking credentials, but like many other so-called banking Trojans, it expanded into an access platform for ransomware groups. Similar relationships have been observed in the past between TrickBot banking Trojan and the Ryuk ransomware group, the Dridex Trojan and WastedLocker or Gootkit and REvil (Sodinokibi).

IceID is distributed through phishing emails that carry malicious zip attachments. The zip archives contain Word documents with malicious macros that, if allowed to execute, download and install IceID.

Following this initial infection, the attackers deploy Cobalt Strike, a commercial penetration testing agent that has become popular with many cybercriminals in recent years. Cobalt Strike is used to provide backdoor access to infected systems and move laterally through the network using PowerShell scripts.

The OnePercent toolset

Before encrypting data, the OnePercent attacks can spend a lot of time inside the victim’s network, expanding their access and exfiltrating interesting data they find. “The actors have been observed within the victim’s network for approximately one month prior to deployment of the ransomware,” the FBI said in an alert published Monday.

During this time, they use a variety of open-source tools including the credential dumping program MimiKatz and the associated SharpKatz and BetterSafetyKatz, the SharpSploit post-exploitation library written in .NET and the rclone command-line utility. Rclone allows managing files on cloud services, and in this case it’s used to exfiltrate data from victims. The FBI advises companies to add the hashes for the various rclone binaries to their malware detection programs.

Aggressive extortion

The OnePercent group’s ransom note directs victims to a website hosted on the Tor anonymity network where they can see the ransom amount and contact the attackers via a live chat feature. The note also includes a Bitcoin address where the ransom must be paid.

If victims do not pay or contact the attackers within one week, the group attempts to contact them via phone calls and emails sent from ProtonMail addresses. “The actors will persistently demand to speak with a victim company’s designated negotiator or otherwise threaten to publish the stolen data,” the FBI said. “When a victim company does not respond, the actors send subsequent threats to publish the victim company’s stolen data via the same ProtonMail email address.”

The extortion has different levels. If the victim does not agree to pay the ransom quickly, the group threatens to release a portion of the data publicly and if the ransom is not paid even after this, the attackers threaten to sell the data to the REvil/Sodinokibi group to be auctioned off.

Aside from the REvil connection, OnePercent might have been tied to other ransomware-as-a-service (RaaS) operations in the past too. Some of the OnePercent indicators of compromise and techniques published in the FBI advisory overlap IoCs published by FireEye in February for a group tracked as UNC2198.

Based on FireEye’s analysis, UNC2198 intrusions go as far back as June 2020 and also involve the deployment of Maze and Egregor ransomware. OnePercent could therefore be what is known in the ransomware ecosystem as an affiliate—a group that handles the victim compromise and distribution of ransomware and shares part of the profit with the ransomware program’s creators.