The FBI has released a flash bulletin regarding a new ransomware group that they have become aware of. This group, known as the “OnePercent Group,” has been targeting US organizations since November 2020. The bulletin provides a breakdown of the threat actor’s methods of operations as well as potential Indicators of Compromise (IOCs) that companies can use to block this activity and/or detect whether they may have been compromised by this group. The full details are found in the article from the FBI, but some of the critical takeaways include:
The initial infection vector is through phishing emails with a malicious .zip file.
Organizations should search for these addresses in their email logs. Activity to/from these addresses may indicate that there is an active compromise:
Organizations should search for these IPs and domains in their SIEM, firewall, and web filter logs. Activity to/from these addresses may indicate that there is an active compromise:
The threat actor is using rclone software for data exfiltration. If the client does not have a business purpose for using the rclone software, they should consider blocking the executable in their endpoint protection software or AV if possible. The following hashes should be added to the appropriate blocklist:
Original post with full details: FBI Releases Indicators of Compromise Associated with OnePercent Group Ransomware
If you need any assistance with understanding the details within the advisory, understanding your current cybersecurity posture, your preparedness for a breach, or any other cybersecurity topic, we would love to have a discussion with you. Contact us today, and let’s chat about your environment and ways to lower your chances of becoming a victim of cybercrime.
Written By:
Ryan Kremer
Vice President, Infrastructure Solutions Group
Keller Schroeder