A look into the tactics of a ransomware affiliate from the FBI

Infosec pros can now study the tactics of a ransomware affiliate gang that has been attacking U.S. organizations since late last year, information which can help them defend against some attacks.

The intel comes from the FBI, which this week issued a report on a gang calling itself the OnePercent Group.

The name apparently comes from its threat to release one per cent of a victim organization’s stolen data if a ransom isn’t paid.

Affiliate groups are gangs that take advantage of the ransomware-as-a-service offerings of big ransomware developers like REvil/Sodinokibi, Darkside, Dharma, LockBit and others. For a monthly fee, affiliates get the bulk of a ransom, with the developer getting about 20 to 30 per cent of the payment.

According to the report, like most ransomware attackers the OnePercent Group sends out phishing email with an infected Microsoft Word or Excel attachment, with the payload executing through a macro. This leads to the download of the IcedID banking trojan. According to the Center for Internet Security, IcedID (also known as BokBot) is a modular banking trojan that targets user financial information and is capable of acting as a dropper for other malware.

This gang uses it to download the Cobalt Strike threat emulation software. A legitimate testing tool, it has become a favourite aid for threat actors. According to Malpedia, Cobalt Strike deploys an in-memory agent named ‘Beacon’ on the victim machine which can be used for command execution, keylogging, file transfer, SOCKS proxying, privilege escalation, mimikatz (for saving authentication credentials), port scanning and lateral movement through and across networks. The FBI report notes this group uses Cobalt Strike in part to move laterally through PowerShell remoting.

For copying and exfiltrating data prior to deploying ransomware this gang uses rclone, a command line program, to manage files on cloud storage.

Related content: What ransomware gangs want

Once the ransomware is successfully deployed, the report says, the victim will receive phone calls with ransom demands through spoofed phone numbers. Victims are also provided a ProtonMail email address for further communication. The actors will persistently demand to speak with a victim company’s designated negotiator or otherwise threaten to publish the stolen data. When a victim company does not respond, the report says, the actors send subsequent threats to publish the victim company’s stolen data.

The report also includes indicators of compromise that security teams can watch for, including hashes associated with rclone.

The FBI urges organizations to do the following to reduce the odds of being victimized by ransomware. It’s also good advice for fending off any cyber attack:

• back-up critical data offline;
• ensure administrators are not using “Admin Approval” mode;
• implement Microsoft LAPS (Local Administrator Password Solution), if possible;
• ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network;
• secure your back-ups and ensure data is not accessible for modification or deletion from the system where the original data resides;
• keep computers, devices, and applications patched and up-to-date;
• consider adding a coloured email banner that clearly identifies emails received from outside your organization. This helps alert users to malicious email that purport to be from fellow employees;
• disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote
access/RDP logs;
• audit user accounts with administrative privileges and configure access controls to give users the least privilege needed for their work;
• use network segmentation to separate critical data;
• make users adopt multi-factor authentication with strong passphrases.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now