In what may be a first for the agency, the FBI has issued a “flash alert” related to a specific ransomware gang. Dubbed the OnePercent group, the FBI has warned that the threat actors are responsible for numerous attacks on U.S. companies dating back to 2020. The ransomware used in those attacks was the Cobalt Strike variant, specifically following the infection vector given by the IcedID banking Trojan. The OnePercent group has links to REvil (Sodinokibi) ransomware gang, and according to the FBI, uses this connection to leak stolen data, as REvil has web pages dedicated to such content.
The flash alert details multiple facts about OnePercent, most notably their modus operandi. They appear to follow a very specific attack method without much deviation. This can be found in the following excerpt from the alert:
OnePercent Group actors encrypt the data and exfiltrate it from the victims’ systems. The actors contact the victims via telephone and email, threatening to release the stolen data through The Onion Router (TOR) network and clearnet, unless a ransom is paid in virtual currency. OnePercent Group actors’ extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data
Some in the information security community are slightly confused by the release of this flash alert. While reporting for Dark Reading, reporter Jai Vijayan quotes an interview with Alec Alvarado, the head of Digital Shadows’ threat intelligence team. In it, Alvarado states that “It is certainly interesting to ponder why the FBI chose the OnePercent group to release a Flash about, as the group doesn’t necessarily appear to sway significantly from known ransomware tactics.” In an additional commentary, Alvarado surmises that either the OnePercent group is ramping up its activity, or the FBI believes that there has not been enough coverage of the group.
In any case, OnePercent is dangerous and effective, so anyone in IT should be aware of their methodology.
Featured image: Pixabay