On August 23, 2021, the Federal Bureau of Investigation (FBI) Cyber Division released an alert to protect recipients from cyber threats. The FBI is warning of a cyber-criminal group who self identifies as the “OnePercent Group” and who has used Cobalt Strike to maintain ransomware attacks against U.S. companies since November 2020.
The OnePercent Group actors compromise victims through sending a phishing email in which an attachment is opened by the receiver. The attachment’s macros infect the system with the IcedID banking trojan. IcedID downloads additional software to include Cobalt Strike, which moves laterally in the network, primarily with PowerShell remoting.
Once the ransomware is successfully deployed, the victim will start to receive phone calls through spoofed phone numbers with ransom demands. Victims are provided a ProtonMail email address for further communication. The actors will persistently demand to speak with the victim company’s designated negotiator or otherwise threaten to publish the stolen data. When a victim company does not respond, the actors send subsequent threats to publish the victim company’s stolen data via the same ProtonMail email address.
OnePercent Group actors’ extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data. The extortion/data leak typically follows these steps:
- Leak Warning: After initially gaining access to a victim network, OnePercent Group actors leave a ransom note stating the data has been encrypted and exfiltrated. The note states the victim needs to contact the OnePercent Group actors on TOR or the victim data will be leaked. If the victim does not make prompt communication within a week of infection, the OnePercent Group actors follow up with emails and phone calls to the victim stating the data will be leaked.
- One Percent Leak: If the victim does not pay the ransom quickly, the OnePercent Group actors threaten to release a portion of the stolen data to various clearnet websites.
- Full Leak: If the ransom is not paid in full after the “one percent leak”, OnePercent Group actors threaten to sell the stolen data to the Sodinokibi Group to publish an article.
The FBI offers the following recommendations to help prevent cyberattacks:
- Back-up critical data offline.
- Ensure administrators are not using “Admin Approval” mode.
- Implement Microsoft LAPS (Local Administrator Password Solution), if possible.
- Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
- Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the original data resides.
- Keep computers, devices, and applications patched and up-to-date.
- Consider adding an email banner to emails received from outside your organization.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Implement network segmentation.
- Use multi-factor authentication with strong passphrases.
The FBI requests that if you find any of the indicators on your networks, or have any related information, please immediately email FBI CYWATCH at cywatch@fbi.gov or call CYWATCH at 1-855-292-3937. When information is reported to FBI CYWATCH, you are sharing information that allows the FBI to track malicious actors and coordinate with private industry and the United States Government to prevent future intrusions and attacks.
The FBI’s Cyber Division alert can be accessed here.
Additional resources related to the prevention and mitigation of ransomware can be accessed here, and also here.
Compliance Perspective
Issue
Protecting your facility from cyberattacks should always be a priority for the information technology department. All staff members who have access to the facility’s electronic devices must be knowledgeable in best practices for preventing cyberattacks and the need to immediately report any suspicious activities on their accounts. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 6, Data Integrity.
Discussion Points
- Review facility policies and procedures on cybersecurity. Ensure that policies are kept current based on best practices designed to prevent ransomware attacks.
- Train all appropriate staff on best practices to prevent ransomware. Document that the trainings occurred and file in each employee’s education file. Provide additional training as new information becomes available or if an issues arises.
- Periodically audit to ensure that staff are knowledgeable and utilizing best practices in preventing ransomware attacks.
