Author: Laksh Sethi
1. Executive Summary
On 23 August, the Federal Bureau of Investigation (FBI) released a flash alert1 about an ongoing campaign conducted by the OnePercent Group: a group that has been using Cobalt Strike to launch ransomware attacks against U.S. companies since November 2020. The alert also provides a list of indicators of compromise (IOCs) associated with the campaign.
The actors use phishing emails with a malicious ZIP attachment that contains a Microsoft Word or Excel file. Opening the attachment activates macros that infect a victim’s computer with the IcedID banking trojan.2 When the actors activate the trojan (in some cases a month after the infection), it installs and runs Cobalt Strike, which uses PowerShell remoting to migrate laterally to other systems on the infected network. The actors then employ rclone,3 a Windows-native backup utility, to encrypt and exfiltrate data from the victim’s systems.
Somewhere on the infected network, the actors leave a ransom note and contact information, which is a link to the actors’ website accessible through the Onion Router (TOR)4 application. The note demands that the organization pay the ransom to a Bitcoin address controlled by the group. The note also states that the actors will provide the decryption key within 48 hours of receiving the payment they have demanded.
After the actors contact the organization, they wait for a week, and then proceed to barrage the organization with phone calls and emails. In addition, they repeatedly demand that the person who initially opened the attachment connect them with the organization’s designated negotiator. If the organization does not respond within a week, the actors send ProtonMail email and make calls from spoofed phone numbers to warn the organization that unless the ransom is paid, the exfiltrated data will be leaked via the TOR network and clearnet. If the organization fails to respond, the actors start leaking the exfiltrated data in small increments, until they receive a response or payment.
The actors use the following tools:
- AWS S3 cloud
- Cobalt Strike
3. Prevention and Mitigation
The following measures should help prevent or mitigate an attack by the OnePercent Group:
- Implement a filter against and be suspicious of all hashes that might be associated with rclone (see the IOCs in the table below).
- Ensure that administrators are not using Admin Approval mode.
- Implement Microsoft Local Administrator Password Solution (LAPS), if possible.
- Ensure that copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from a compromised network.
- Secure backups, and ensure that original data cannot be accessed, modified, or deleted.
- Keep computers, devices, and applications patched and up to date.
- Consider adding an email banner to email received from outside your organization.
- Disable unused remote access and Remote Desktop Protocol (RDP) ports, and monitor remote access and RDP logs.
- Audit administrative user accounts regularly.
- When configuring access controls, apply the principle of least privilege (PoLP).
- Implement network segmentation.
- Use multi-factor authentication with strong passphrases.
4. Indicators of Compromise
The FBI believe that the following IOCs are linked to this conduct: