The FBI has identified a group of cyberthreat actors that has launched ransomware attacks against U.S. companies since November using Cobalt Strike software.
The OnePercent Group uses phishing emails with a malicious zip file attachment to infiltrate victims’ networks, installs Cobalt Strike using IcedID, encrypts and extracts data from the compromised system using rclone and observes the breached network for a month before deploying the ransomware, the bureau said Monday.
Victims will receive calls through spoofed phone numbers from the cybercrime group demanding ransom. The group will further communicate with victims by providing a ProtonMail email address and its extortion tactics starts with a warning. If an organization fails to immediately pay the ransom, the warning will progress to a partial leak and then to a full leak of extracted data.
The FBI listed indicators of compromise and applications used by the actors to execute ransomware attacks.
The agency also recommended mitigation measures for organizations, such as backing-up critical data offline, keeping devices and applications patched, implementing Microsoft LAPS and network segmentation, auditing user accounts with administrative privileges and using multifactor authentication with strong passphrases.
ExecutiveBiz, sister site of GovConDaily and part of the Executive Mosaic digital media umbrella, will host a virtual event about securing the supply chain on Oct. 26. Visit ExecutiveBiz.com to sign up for the “Supply Chain Cybersecurity: Revelations and Innovations” event.