OnePercent Group actors encrypt the data and exfiltrate it from the victims’ systems.
The actors contact the victims via telephone and email, threatening to release the stolen data through The Onion Router (TOR) network and clearnet, unless a ransom is paid in virtual currency.
OnePercent Group actors’ extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data.
The extortion/data leak typically follows these steps:
Leak Warning
One Percent Leak
Full Leak
File Names and Tools used by Attackers
AWS S3 cloud
IcedID
Cobalt Strike
Powershell
Rclone
Mimikatz
SharpKatz
BetterSafetyKatz
SharpSploit
OnePercent Group actors gain unauthorized access to victim networks through phishing emails with a malicious zip file attachment.
The zip file includes a Microsoft Word or Excel document that contains malicious macros that allow the actors to subsequently infect the victim’s system with the banking Trojan IcedID.
The actors use IcedID to install and execute the software Cobalt Strike on the victim’s network to move laterally to other systems within the environment through PowerShell remoting.
The actors use rclone for data exfiltration from the victim’s network.
The actors have been observed within the victim’s network for approximately one month prior to deployment of the ransomware.
Once the ransomware is successfully deployed, the victim will start to receive phone calls through spoofed phone numbers with ransom demands and are provided a ProtonMail email address for further communication.
The actors will persistently demand to speak with a victim company’s designated negotiator or otherwise threaten to publish the stolen data.
When a victim company does not respond, the actors send subsequent threats to publish the victim company’s stolen data via the same ProtonMail email address.
Sign Up For Threat Alerts
Jul 04, 2023
Rhysida Ransomware RaaS Crawls Out of Crimeware...
The Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware...
Jun 26, 2023
Operation Magalenha – Long-Running Campaign Pursues Portuguese...
The attackers can steal credentials and exfiltrate users' data and personal information, which can be...
Apr 24, 2023
Lazarus Group Adds Linux Malware to Arsenal...
Researchers have discovered a new campaign conducted by Lazarus, known as "Operation DreamJob," which targets...
Apr 23, 2023
Additional IOCs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed.
Apr 23, 2023
Ex-Conti and FIN7 Actors Collaborate with New...
IBM Security X-Force recently discovered a new malware family Analysts have called "Domino," which Analysts...
Apr 20, 2023
AuKill EDR killer malware abuses Process Explorer...
The AuKill tool abuses an outdated version of the driver used by version 16.32 of...
Apr 20, 2023
Fake Chrome updates spread malware
A campaign running since the end of last year is using hacked sites to push...
Apr 20, 2023
QBot using new attack vector in its...
QBot, also known as QakBot, previously operated as a banking trojan and has since transformed...
Apr 20, 2023
CrossLock Ransomware Emerges: New Golang – Based...
The CrossLock ransomware employs the double extortion technique to increase the likelihood of payment from...
Apr 20, 2023
Windows Zero-Day Vulnerability CVE-2023-28252 Exploited by Nokoyawa...
A zero-day vulnerability in the Microsoft Windows system, which also affects Windows 11, has been...
Apr 18, 2023
Additional IOcs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...
Apr 18, 2023
Additional IOcs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...
Apr 18, 2023
APT36 Expands Interest Within Indian Education Sector
Symantec described UPS in 2016 report as Buckeye (also known as APT3 Gothic Panda UPS...
Apr 17, 2023
ChinaZ DDoS Bot Malware Distributed To Linux...
The ChinaZ DDoS bot malware was discovered targeting Linux systems while a version for Microsoft...
Apr 16, 2023
Resurgence Of The Mexals Cryptojacking Campaign
The Mexals crypto jacking campaign has been in operation since at least 2021 and continues...