FBI warns of cybercriminal group OnePercent

Sheila Zabeu -

August 26, 2021

The US Federal Bureau of Investigations (FBI) released a public statement in August detailing the modus operandi of a cybercriminal group calling itself OnePercent.

According to the FBI, the group has been active since at least November 2020. Members of OnePercent encrypt data from networks and leave a notice stating that the victim should contact the group on TOR. If the victim does not communicate within a week of the break-in, the group sends emails and makes phone calls informing them that the data will be leaked.

Then, if the ransom is not paid quickly, OnePercent threatens to release part of the stolen data (1%, hence the group’s name) on various clearnet sites. And if, in the end, payment is not made in full after the partial leak, the group threatens to sell the data to Sodinokibi Group2 to be published in an auction.

According to the FBI, the OnePercent group gains unauthorized access to victims’ networks through phishing emails containing a malicious ZIP file. This file loads a Word or Excel document with contaminated macros that infect the victim’s system with the IcedID banking Trojan horse, which in turn installs and runs the Cobalt Strike software on the network so the attackers can move laterally through other systems. The rclone file is used to steal the victim’s data. And hackers usually stay inside networks for about a month before installing the ransomware.

Even though the FBI has not specifically classified the group as a ransomware affiliate, sources in the cybersecurity field told The Record website that OnePercent has had a longstanding collaboration with the creators and operators of the REvil ransomware and has also worked with Maze and Egregor operations.

For example, victims who did not pay the ransom ended up on The REvil Happy Blog, according to Bill Siegel, founder, and CEO of security firm Coveware. In addition, domain names included in the FBI statement that was used by OnePercent in the past to host the IcedID Trojan horse are also linked to ransomware attacks that installed Maze and Egregor strains, according to a report by FireEye.

What becomes clear with each incident is that almost all of these ransomware attacks are carried out by third parties who rent access to a RaaS (Ransomware as a Service) rather than by the creators of the virtual plague themselves. Affiliate groups, on the other hand, jump from one RaaS platform to another.

The FBI has not commented on whether the OnePercent group is still active today.

Is there a ransomware cartel?

Developer of the Maze ransomware, eventually used by OnePercent, the Twisted Spider gang is behind attacks that recently ended in major losses for victims in the business world. The group may have found a cartel in June 2020, cybersecurity firm Analyst1 claims.

Because of this, Analyst1 conducted a study to assess whether a ransomware cartel actually exists. It spent time scouring criminal marketplaces to research and analyze criminal organizations within an alleged cartel. Tools and malware used by the groups were evaluated and transactions in bitcoins were tracked.

It has been observed that it is common practice for one gang to steal data and pass it on to another gang to publish and trade with victims. Attackers are also increasingly automating their attacks, relying on shared automation capabilities so that the intrusion is conducted with virtually no human interaction. As a result, gangs are collectively raking in hundreds of millions of dollars in ransomware and extortion operations.

And the gangs are reinvesting the profits made from ransomware to develop further, both in terms of tactics and the aggressiveness of the malware, which is regularly updated to add sophisticated new features.

According to the study, the alleged cartel is currently made up of four ransomware gangs: Twisted Spider, Viking Spider, Wizard Spider, and Lockbit Gang.

Source: Analyst1

This group emerged in May 2020, although Twisted Spider started its ransomware operations almost a year earlier, in August 2019. The gang developed ransomware called Maze that was used in its attacks from May 2019 to November 2020. This was followed by the Egregor ransomware which is used to this day. However, each campaign uses its own malware and infrastructure, according to the study.

Source: Analyst1

“Since inception, the group has used the Egregor/Maze ransomware to extort at least $75 million from private sector companies and government agencies. We believe this number is much higher, but we can only assess ransoms admittedly paid. Many victims do not publicly report when they pay ransoms,” the Analyst1 study highlights.

In November 2020, Twisted Spider, the gang that started the alleged cartel, announced that it was winding down its operations. At the time, it also claimed that no such cartel ever existed. In its latest press release (yes, these gangs give interviews, issue press releases, and post announcements on social media), Twisted Spider claimed that the cartel was only a reality in the minds of journalists.

Analyst1 found evidence that the gangs continue to work together and share resources to extort victims. However, the study concludes that this group cannot be considered a genuine cartel but rather a collective of gangs that eventually work together on ransomware operations. Profit-sharing is an important element of cartels and does not seem to be present in this group carrying out ransomware attacks.

All known bitcoin wallets and transactions associated with the gangs in question were searched. Following the money trail, it was possible to note victims paying a gang who in turn paid their affiliates, but no evidence was found that the profits were shared.

It could be that the gangs created the cartel facade to appear larger and more powerful and thus intimidate victims. The truth is, cartel or not, ransomware gangs will continue to work with one another, sharing tactics and resources to become more sophisticated and dangerous. Analyst1 specifically believes that these groups will focus their efforts on developing methods to automate attacks. As a result, the need for affiliated hackers will decrease and the overall volume of attacks will grow.