FBI Reports on OnePercent Ransomware Delivered Through Phishing Emails
Yesterday, the FBI[ issued an alert](https://assets.armorblox.com/f/52352/x/fe3ec64092/fbi-alert-onepercent-group-ransomware.pdf) that provided information about a threat actor named “OnePercent Group” that has been actively targeting US organizations with [ransomware attacks](https://www.armorblox.com/learn/ransomware-prevention/) since November 2020. The alert includes an overview of the attack, IOCs and attacker techniques used, and mitigation recommendations. The IOCs mentioned in the alert also show up in a previous [FireEye report on UNC2198](https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html) as well as a [May 2021 report by Team Cymru](https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/) on IcedID infrastructure.
In this blog, we will summarize the ransomware flow, list out some recurring attacker tradecraft that our threat research team has observed in other scams, and compile useful links you can visit to keep up to date with news about this ransomware.
## **OnePercent Group Ransomware**
This ransomware campaign began with phishing emails that contained attachments with malicious macros that infected the users’ systems with the [IcedID](https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/) banking trojan. IcedID downloaded additional software that includes Cobalt Strike, which moved laterally through networks with PowerShell remoting.
The attackers then lurked in victim systems for upto a month to exfiltrate data before deploying the ransomware. The victims were contacted via telephone and email with ransom demands and threats to leak the exfiltrated data if the ransoms were not paid.
## **Recurring Tradecraft**
The FBI alert will no doubt have follow-ups and additional intelligence that will be shared with the community over the coming days. From what is known so far, we are listing out tradecraft employed in this attack and sharing similar techniques observed by the Armorblox threat research team in other phishing campaigns.
### **Phishing emails and workflow compromise**
The ransomware not only started with phishing emails, but also replicated known business workflows i.e. including Microsoft Word and Excel files as attachments. By making the emails look like legitimate emails people get many times a day, the attackers assumed that victims would employ [‘System 1’ thinking](https://www.armorblox.com/blog/the-fault-in-our-emails-why-everyone-still-falls-for-phishing-attacks/) and take quick action.
### **Exploiting legitimate software, tools, and infrastructure**
The FBI shared a list of tools the OnePercent Group used in this ransomware attack, and it included plenty of legitimate software like AWS S3 Cloud, PowerShell, and ProtonMail.
We have repeatedly observed threat actors hijacking legitimate (and often free) online services and using them within phishing flows. Other online solutions that have been exploited include [Typeform](https://www.armorblox.com/blog/blox-tales-w2-tax-scam-using-typeform) in tax scams, [Quip](https://www.armorblox.com/blog/you-ve-got-a-phish-package-fedex-and-dhl-express-phishing-attacks/) in attacks impersonating shipping companies, and [Google Sites](https://www.armorblox.com/blog/blox-tales-microsoft-teams-credential-phishing/) to host fake login pages.
Using legitimate software in cyberattacks can have multiple uses, whether it’s to lend attackers anonymity, make traceability more difficult, or trick security controls into believing that unusual behavioral patterns are in fact not unusual.
### **An omni-channel attack**
This attack started with an email, continued on the victim’s system and network, and then moved to phone and email again when the time came to make the ransom demand. The attackers used ProtonMail to reduce traceability, but the spoof phone numbers used in this attack are particularly noteworthy.
Our threat research team has observed multiple vishing campaigns over the past few months that impersonate [online shopping companies](https://www.armorblox.com/blog/amazon-vishing-voice-phishing-attacks/) as well as [tech support](https://www.armorblox.com/blog/tech-support-vishing-attacks). Phone numbers are not IOCs that the security community tracks in a structured, shareable manner right now (and might never be, due to the fungibility of phone numbers, the ability to randomly generate numbers through Google Voice, etc.).
### **Double extortion with a difference**
This ransomware campaign employed double extortion techniques, demanding ransoms to restore access to encrypted data as well as threatening to leak the data if the ransoms weren’t paid. However, OnePercent Group employed a more staggered communication approach.
There was initially a ‘leak warning’, where victims were sent a note to contact the attackers via a TOR website. If the victims didn’t respond within a week, the OnePercent Group followed up with emails and phone calls threatening a ‘One Percent Leak’, meaning they would release a portion of the exfiltrated data to clearnet websites. If the ransom wasn’t paid in full after the ‘One Percent Leak’, the attackers threatened to sell all the exfiltrated data to publish at an auction.
## **Stay Updated**
There will surely be more updates on this ransomware campaign in the days and weeks to come. We would advise bookmarking the FBI’s [cybercrime news page](https://www.fbi.gov/investigate/cyber/news) for any other ransomware-related announcements. BleepingComputer has also covered the attack [here](https://www.bleepingcomputer.com/news/security/fbi-onepercent-group-ransomware-targeted-us-orgs-since-nov-2020/).
For more email security news, threat research, and industry trends, [join the Armorblox mailing list](https://get.armorblox.com/subscribe).
