Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • FBI warns of OnePercent ransomware gang – what you need to know
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

FBI warns of OnePercent ransomware gang – what you need to know

4 years ago Graham Cluley
FBI warns of OnePercent ransomware gang – what you need to know

What’s happened?

The FBI has published a warning about a ransomware gang called the OnePercent Group, which has been attacking U.S. companies since November 2020.

How are companies being attacked by the OnePercent gang?

The gang emails targeted individuals inside an organization using social engineering tricks to dupe the unwary into opening a malicious Word document contained within an attached ZIP file.

And the attachment encrypts data on the user’s PC?

Not quite. Macros embedded within the document install a modular banking Trojan horse known as IcedID onto the victim’s computer.

IcedID (also sometimes known as BokBot) can steal login credentials for financial institutions as users attempt to access their online bank accounts, but it can also download and drop other malware. One imagines IcedID was deliberately expanded in this fashion to make it more lucrative for cybercriminals.

One of the additional pieces of software that IcedID can download is Cobalt Strike, a penetration testing tool much loved by malicious hackers for the way it can assist the compromise of an organization.

Cobalt Strike moves laterally through the targeted organization, opening the opportunity for remote hackers to exfiltrate sensitive data and leave it encrypted on the corporate victim’s systems. According to the FBI, the criminals have been observed within victims’ networks for “approximately one month prior to the deployment of the ransomware.”

So they could find out a lot about a company in that time…

Yes. Chances are that they would have learnt a great deal about your organization and may have succeeded into accessing highly sensitive data.

And then the company receives a ransom demand?

Yes, the OnePercent Group leaves a ransom note for its victim, explaining that data has been encrypted and stolen. A threat is made to release the data unless the company responds within one week.

And what happens if you are hit by the gang and don’t respond within one week?

Unfortunately, the OnePercent Group doesn’t seem to forget about you. They make contact with tardy victims via email or telephone, applying additional pressure to pay.

Wait. They telephone their victims? Doesn’t that help reveal who they are?

Telephone numbers can be spoofed and hide the true caller, just like email addresses.

And what if the ransom is still not paid up?

If payment is not made quickly, the OnePercent Group threatens to release a portion (1%, which is where the group seemingly gets its name from) on the dark web.

And if the company continues to refuse to pay the ransom?

The OnePercent Group threatens to sell the exfiltrated data to the REvil cybercrime group to be auctioned off to the highest bidder.

What can my company do about this to protect itself?

Aside from ensuring that anti-virus products are configured to detect tools known to be used by the OnePercent Group during the attack and exfiltration of data, the FBI offers a number of additional tips:

  • Back up critical data offline.
  • Ensure administrators are not using “Admin Approval” mode.
  • Implement Microsoft LAPS, if possible.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the original data resides.
  • Keep computers, devices, and applications patched and up to date.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Implement network segmentation.
  • Use multi-factor authentication with strong passphrases.

What else do we know about the OnePercent Group?

Not much. According to The Record, it is a ransomware-as-a-service affiliate, which has worked in the past with other groups such as REvil, Maze, and Egregor.

More details can be found in the FBI advisory.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

The post ” FBI warns of OnePercent ransomware gang – what you need to know” appeared first on TripWire

Source:TripWire – Graham Cluley

Tags: Cloud, Critical Severity, Finance, Goverment, Malware, Microsoft, Ransomware, TripWire

Continue Reading

Previous F5 Releases Critical Security Patches for BIG-IP and BIG-IQ Devices
Next Microsoft Breaks Silence on Barrage of ProxyShell Attacks

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery

14 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk

15 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities

17 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

How Samsung Knox Helps Stop Your Network Security Breach

18 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

20 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Data Breach
  • Vulnerabilities

Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries

23 hours ago [email protected] (The Hacker News)

Recent Posts

  • China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery
  • CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk
  • Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities
  • How Samsung Knox Helps Stop Your Network Security Breach
  • Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT