The United States Federal Bureau of Investigations (FBI) released a security advisory with details about the techniques, tactics, and procedures (TTP) of the ransomware affiliate group “OnePercent Group.” This is the first advisory released by the FBI that focuses on an affiliate group of Ransomware as a Service (RaaS) platforms such as REvil.
RaaS provide the underlying software tools, training, money laundering and negotiation services that characterize a ransomware attack to so-called “affiliate” groups that actively use these tools to target victims in return for a percentage of the profits. These affiliate groups, often euphemistically referred to as “pentesters” by RaaS organizations, are the actual criminals conducting unauthorized entry and operations on target organizations’ networks.
The FBI said that OnePercent group has been operating since at least November 2020. Although the FBI alert did not specify RaaS the OnePercent group used, Recorded Future reported that the group worked with RaaS providers REvil, Maze, and Egregor. They received their epithet due to their practice of threatening to leak 1% of a targeted organization’s data if the ransom was not immediately paid.
Typical applications used or exploited by OnePercent during historical operations include:
• AWS S3 cloud
• Cobalt Strike
OnePercent typically utilizes malicious file attachment via phishing email in order gain access to an organization’s network, typically via Word or Excel macros that drop IcedID, a banking trojan malware application, that proceeds to Cobalt Strike. Cobalt Strike is used for lateral movement within a target network utilizing PowerShell remoting. Rclone is then utilized for data exfiltration of target organizations’ data.