CISA Encourages Mitigations in Face of OnePercent Group

Federal agencies are alerting entities to the threat of a ransomware gang that calls itself the OnePercent Group, a practitioner of a dreaded double extortion tactic.

The moniker might evoke thoughts of hacktivism in the name of economic equality—especially as ransomware groups like DarkSide have touted charitable contributions and promised to only attack companies that can pay—but it actually indicates the amount of captured data they leak, threatening victims to share it all with the highest bidder if they aren’t paid what they ask.

“If the victim does not pay the ransom quickly, the OnePercent Group actors threaten to release a portion of the stolen data to various clearnet websites,” reads an FBI Flash warning that the Cybersecurity and Infrastructure Security Agency shared through the National Cyber Awareness System Wednesday. “If the ransom is not paid in full after the ‘one percent leak,’ OnePercent Group actors threaten to sell the stolen data to the Sodinokibi Group to publish at an auction.”

Typically, ransomware encrypts the victim’s data until they pay perpetrators to unlock it, which is why backing up data offline is one of the main best practices to mitigate against such attacks. But in cases of double extortion, the hackers not only hold sensitive data hostage, but threaten to release it to the highest bidder, or just on the open web, if it could be damaging enough.

According to the FBI warning, Sodinokibi is a Russian ransomware-as-a-service group that also goes by REvil, the gang that temporarily upended the meat industry when they attacked JBS facilities, according to an FBI attribution.

REvil, DarkSide and other ransomware-as-a-service groups have commoditized the production of the malware variants and made their distribution and use a breeze. Even laymen can pay to threaten any entity with a malicious link or attachment, usually delivered through crafty phishing efforts.

"This alert signals a welcome broadening of scope within the FBI,” said Sarah Powazek, a cyber technology research analyst at the Institute for Security and Technology and program manager of the institute’s ransomware task force. “Ransomware as a service (RaaS) lowers the barrier dramatically for criminals of any technical skill level to wreak havoc on victims across the globe. To meaningfully disrupt the ransomware ecosystem, all ransomware affiliates must be targeted, whether they write ransomware code or just purchase access to it."

Doel Santos, a threat intelligence analyst with Unit 42 at Palo Alto Networks, said the alert shows the OnePercent Group is an especially significant threat in what has become a competitive sea of such ransomware groups.

Santos said the group’s leak site was down as of Thursday, but that new groups are constantly emerging.

The FBI’s warning details tools and tactics the group uses to deliver the ransomware and to move laterally within victim networks after gaining initial access. It also includes indicators of compromise and familiar actions to mitigate the attacks, including regularly patching and updating software, using multi factor authentication, and segmenting networks. 

The FBI also suggests disabling unused remote access ports and monitoring remote access and remote desktop protocol logs, and adding a banner to emails coming from outside the organization.