FBI research on OnePercent Group: organizations targeted since 2020

The group used Cobalt Strike to distribute ransomware for money extortion

At least from November of 2020, hacker group aims at the US organizations On August 23, The Federal Bureau of Investigation (FBI) delivered some concerning news about hackers known as OnePercent Group that apparently has been actively targeting US organizations since at least November 2020 as a ransomware affiliate. The US federal law enforcement agency shared some more information about compromise, tactics, techniques, and procedures (TTP).^[1]

In the FBI statement, it is said that cyber-criminal group who self identifies as the OnePercent Group and who have used Cobalt Strike in ransomware attacks against US companies, encrypts data and exfiltrates it from the victims’ systems. The actors contact the victims via telephone and email, threatening to release the stolen data through The Onion Router (TOR) network unless a ransom is paid in their chosen cryptocurrency.^[2]

If demands won't be met, threat actors, threaten to sell the stolen data to the Sodinokibi Group to publish at an auction. Victims can use the Tor website to get more info on the demanded ransom, negotiate with the attackers, and get more in-depth technical support. At least these criminals claim this is possible. Applications and services used by the OnePercent Group operators include AWS S3 cloud, IcedID, Cobalt Strike, Powershell, Rclone, Mimikatz, SharpKatz, BetterSafetyKatz, SharpSploit.

OnePercent Group is known due to its affiliation with REvil

FBI shares that the hacker group gained its name with a well-structured extortion technique. It is usually executed in stages:

• Malware affects files directly and makes them unopenable;
• Threat actors leave ransom notes asking for payment;
• If the victim doesn't follow up on it, hackers will leak the data;
• If victims don't pay fast enough, the group will leak 1% of the stolen data. That's where the name OnePercent comes from.
• Finally, if victims still don't pay, stolen information would be sold at the data auction.^[3]

Various sources state that the notorious group has a long-standing collaboration with the creators and operators of the REvil (Sodinokibi) ransomware and has also worked with the Maze and Egregor operations. REvil ransomware^[4] is a data locking virus that was first spotted back in April 2019, and it is also known as Sodinokibi/Sodin. It allows attackers to remotely connect to the host machine and inject the malware manually.

Maze is a Windows ransomware that usually targets organizations across many industries and demands a cryptocurrency payment to recover encrypted data.^[5] On the same note, Egregor is speculated to be continuous work of the Maze cybercrime group. Egregor virus became popular after Barnes & Noble and video game developers Crytek and Ubisoft hack in October 2020.^[6]

Cobalt Strike is among the most used applications

OnePercent Group tends to use Cobalt Strike for ransomware plans quite often. Cobalt Strike is a legitimate, commercially available tool, but it has recently become widely used by cybercrooks. Some researchers have tracked a year-over-year increase of 161 percent in the number of real-world attacks where Cobalt Strike has shown up. It is usually used by threat actors or by those operators who prefer general commodity malware.^[7]

Cobalt Strike sends out beacons to detect network vulnerabilities, and when used as intended, it simulates an attack. However, hackers turn this function around and use it to exfiltrate data, deliver malware and create fake command-and-control (C2) profiles that look legit and can evade detection. Apparently, tens of thousands of organizations have already been targeted with Cobalt Strike already.