OnePercent Group – Ransomware

OnePercent Group actors encrypt the data and exfiltrate it from the victims’ systems.
The actors contact the victims via telephone and email, threatening to release the stolen data through The Onion Router (TOR) network and clearnet, unless a ransom is paid in virtual currency.
OnePercent Group actors’ extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data.
The extortion/data leak typically follows these steps:
Leak Warning
One Percent Leak
Full Leak

File Names and Tools used by Attackers
AWS S3 cloud
Cobalt Strike

OnePercent Group actors gain unauthorized access to victim networks through phishing emails with a malicious zip file attachment.
The zip file includes a Microsoft Word or Excel document that contains malicious macros that allow the actors to subsequently infect the victim’s system with the banking Trojan IcedID.
The actors use IcedID to install and execute the software Cobalt Strike on the victim’s network to move laterally to other systems within the environment through PowerShell remoting.
The actors use rclone for data exfiltration from the victim’s network.
The actors have been observed within the victim’s network for approximately one month prior to deployment of the ransomware.

Once the ransomware is successfully deployed, the victim will start to receive phone calls through spoofed phone numbers with ransom demands and are provided a ProtonMail email address for further communication.
The actors will persistently demand to speak with a victim company’s designated negotiator or otherwise threaten to publish the stolen data.
When a victim company does not respond, the actors send subsequent threats to publish the victim company’s stolen data via the same ProtonMail email address.

Sign Up For Threat Alerts

Threats Icon

Oct 20, 2021

MysterySnail attacks with Windows zero-day

Kaspersky technologies detected attacks with the use of an elevation of privilege exploit on multiple...

Threats Icon

Oct 19, 2021

Explosive New MirrorBlast Campaign Targets Financial Companies

Financial organizations are historically among the most targeted by threat actors. There are many reasons...

Threats Icon

Oct 14, 2021

BlackByte Ransomware Virus

BlackByte is ransomware that infects Windows computers for the purpose of blackmailing or extorting money...

Threats Icon

Oct 14, 2021

Israel on heightened alert after hospital hit...

Hillel Yaffe resorts to logging admissions with pen and paper while being unable to conduct...

Threats Icon

Oct 13, 2021

FIN12 Ransomware Threat Actor Aggressively Pursued Healthcare...

IN12, an aggressive, financially motivated threat actor behind prolific ransomware attacks since at least October...

Threats Icon

Oct 11, 2021

Actors Target Huawei Cloud Using Upgraded Linux...

TrendMicro have recently noticed another Linux threat evolution that targets relatively new cloud service providers...

Threats Icon

Oct 07, 2021

GhostEmperor – From ProxyLogon to kernel mode

Analysts noticed a recurring cluster of activity that appeared in several distinct compromised networks. This...

Threats Icon

Oct 06, 2021

Atom Silo ransomware actors use Confluence exploit

A new ransomware operator uses stealthy techniques, but borrows heavily from other players. Sophos' MTR...

Threats Icon

Oct 05, 2021

Financially motivated actor breaks certificate parsing to...

Attackers created malformed code signatures that are treated as valid by Windows but are not...

Threats Icon

Oct 04, 2021

Fake Installers Drop Malware and Open Doors...

One way that attackers trick users is by luring them with unauthorized apps or installers...

Threats Icon

Oct 04, 2021

FinSpy – unseen findings

FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset. Analysts began detecting...

Threats Icon

Sep 27, 2021

FamousSparrow: A suspicious hotel guest

Yet another APT group that exploited the ProxyLogon vulnerability in March 2021 ESET researchers have...

Threats Icon

Sep 23, 2021

Cryptominer z0Miner Uses Newly Discovered Vulnerability CVE-2021-26084...

The cryptomining trojan z0Miner has been taking advantage of the Atlassian's Confluence remote code execution...

Threats Icon

Sep 22, 2021

TinyTurla – Secret backdoor on victim machines

Russian state-sponsored hackers known as the Turla APT group have been using new malware over...

Threats Icon

Sep 19, 2021

No Longer Just Theory-Linux Executables Deployed As...

Researchers recently identified several malicious files that were written primarily in Python and compiled in...