The FBI has issued a warning about a ransomware gang called the OnePercent Group.  The gang has been attacking companies in the United States since November 2020 by emailing targeted individuals inside an organization using social engineering tricks to try and dupe the unsuspecting employee into opening a malicious Word document within a zip file attached to the email.

From there, Macros embedded in the word document install a banking Trojan known as IcedID onto the victim’s computer.  The Trojan can steal login credentials for financial institutions as users attempt to access their online accounts. It can also download and drop other malware as well. 

Additionally, IcedID can download a piece of software called Cobalt Strike, which is a penetration testing tool hackers love because of the way it can assist in compromising organizations. Cobalt Strike moves laterally through a targeted organization, creating the opportunity for remote hackers to exfiltrate sensitive data and leave it encrypted on the victim’s machine. 

According to the FBI, criminals have been monitored within victims’ networks for “approximately one month prior to the deployment of the ransomware”.  In this time, attackers can learn a lot about your organization, and may have gained access to highly sensitive data.

Once this sensitive data is accessed, the OnePercent Group leaves a ransom note for its victim.  The note explains that the data has been encrypted and stolen, and that the affected company must respond within the week to retrieve their data.  If the victim does not respond in the allotted time, the group will email or call applying additional pressure for the victim to pay the ransom.

If a payment is not made quickly, the OnePercent Group threatens to release a small portion (1%) of the victim’s information on the dark web.  If the organization still continues to refuse to pay the ransom, the group threatens to sell the rest of the compromised data to the REvil cybercrime group to be auctioned off to the highest bidder.

So what can your organization do to protect yourself from an attack?  Your organization can:

• Configure an anti-virus product able to detect tools known to be used by OnePercent Group

• Back up critical data offline

• Ensure administrators are not using “Admin Approval” mode

• Implement Microsoft LAPS, if possible

• Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network

• Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the original data resides

• Keep computers, devices and applications patched and up to date

• Consider adding an email banner to emails received from outside of your organization

• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs

• Audit user accounts with administrative privileges and configure access controls with lease privilege in mind

• Implement network segmentation

• Use multi-factor authentication with strong passphrases

Story via Tripwire