What’s happened?

The FBI has published a warning about a ransomware gang called the OnePercent Group, which has been attacking U.S. companies since November 2020.

How are companies being attacked by the OnePercent gang?

The gang emails targeted individuals inside an organization using social engineering tricks to dupe the unwary into opening a malicious Word document contained within an attached ZIP file.

And the attachment encrypts data on the user’s PC?

Not quite. Macros embedded within the document install a modular banking Trojan horse known as IcedID onto the victim’s computer.

IcedID (also sometimes known as BokBot) can steal login credentials for financial institutions as users attempt to access their online bank accounts, but it can also download and drop other malware. One imagines IcedID was deliberately expanded in this fashion to make it more lucrative for cybercriminals.

One of the additional pieces of software that IcedID can download is Cobalt Strike, a penetration testing tool much loved by malicious hackers for the way it can assist the compromise of an organization.

Cobalt Strike moves laterally through the targeted organization, opening the opportunity for remote hackers to exfiltrate sensitive data and leave it encrypted on the corporate victim’s systems. According to the FBI, the criminals have been observed within victims’ networks for “approximately one month prior to the deployment of the ransomware.”

So they could find out a lot about a company in that time…

Yes. Chances are that they would have learnt a great deal about your organization and may have succeeded into accessing highly sensitive data.

And then the company receives a ransom demand?

Yes, the OnePercent Group leaves a ransom note for its victim, explaining that data has been encrypted and stolen. A threat is made to release the data unless the company responds within (Read more...)