The Federal Bureau of Investigation (FBI) has identified a cybercriminal group that calls itself the “OnePercent Group,” and has carried out ransomware attacks against U.S. companies since November 2020 utilizing double-extortion tactics, according to an FBI flash report released on August 23.
The OnePercent Group’s extortion tactics always begin with a warning and go from a “one percent leak” to a full leak of all the victim’s exfiltrated data, the FBI said. The group compromises victims through phishing emails and, after gaining access to the victim’s network, leaves a ransom note stating the data has been encrypted and exfiltrated. The note demands that the victim contact the group on The Onion Router network; if not, the group will leak the encrypted data. If there is no contact within a week with the victims, the OnePercent Group begins to follow up with emails and phone calls.
If a company does not pay the ransom demanded promptly, “the OnePercent Group actors threaten to release a portion of the stolen data to various Clearnet websites,” the FBI notice states. If the company has not paid the ransom after the one percent leak, the group threatens to sell the data to the Sodinokibi Group.
According to the FBI, the Sodinokibi Group is a Russia-based ransomware-as-a-service group that also goes by the name REvil. It was the same ransom group that attacked JBS facilities earlier this year, forcing the company to shut down nine of its plants.
Additionally, the FBI warning details nine tools and tactics the group uses to deliver the ransomware and move laterally within victim networks after gaining initial access, such as IcedID, Cobalt Strike, Powershell, and Rclone.
The FBI also provided recommendations for U.S. organizations to mitigate the attacks, including regularly patching and updating software, using multi-factor authentication, segmenting networks, disabling unused remote access ports, and adding a banner to emails coming from outside the organization.
