FBI FLASH: OnePercent Group Ransomware Indicators of Compromise

The FBI has published a TLP:WHITE FLASH providing indicators of compromise associated with the “OnePercent Group” ransomware. According to the FBI, the OnePercent group has used Cobalt Strike to perpetrate ransomware attacks against U.S. companies since November 2020. The group compromises victims through a phishing email containing an attachment that infects the system with the IcedID banking trojan. IcedID downloads additional software, to include Cobalt Strike. Cobalt Strike then moves laterally in the network, primarily with PowerShell remoting. The FLASH contains further technical details regarding this activity, including indicators of compromise, and lists recommended mitigations. It also encourages partners to report suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 CyberWatch (CyWatch) at (855)292-3937 or Cy*****@*bi.gov.