A new ransomware group is targeting US businesses. Are you protected if your organization is next?
The FBI has released a flash bulletin regarding a new ransomware group that they have become aware of. This group, known as the “OnePercent Group,” has been targeting US organizations since November 2020. The bulletin provides a breakdown of the threat actor’s methods of operations as well as potential Indicators of Compromise (IOCs) that companies can use to block this activity and/or detect whether they may have been compromised by this group. The full details are found in the article from the FBI, but some of the critical takeaways include:
Implement protection against incoming malicious .zip files.
The initial infection vector is through phishing emails with a malicious .zip file.
- Organizations should block incoming .zip files through their email security platform. Exclusion rules can be create to allow .zip files if the extension is renamed to a predefined extension (ie. Rename file.zip to file.ksa). This approved file extension should only be shared as necessary.
- Implement a Security Awareness program to education users how to identify suspicious emails and activity.
Take note of the email addresses used by the group.
Organizations should search for these addresses in their email logs. Activity to/from these addresses may indicate that there is an active compromise:
- 1percentransom[@]protonmail.com
- 1percentransomware[@]protonmail.com
Keep a look out for malicious domains and IP addresses.
Organizations should search for these IPs and domains in their SIEM, firewall, and web filter logs. Activity to/from these addresses may indicate that there is an active compromise:
- 157[.]245[.]239[.]187
- 31[.]187[.]64[.]199
- 206[.]189[.]227[.]145
- 167[.]71[.]224[.]39
- 80[.]82[.]67[.]221
- 138[.]197[.]179[.]153
- 134[.]209[.]203[.]30
- nix1[.]xyz
- golddisco[.]top
- delokijio[.]pw
- june85[.]cyou
- intensemisha[.]cyou
- biggarderoub[.]cyou
- d30qpb9e10re4o[.]cloudfront[.]net
Be aware of potential mitigations.
The threat actor is using rclone software for data exfiltration. If the client does not have a business purpose for using the rclone software, they should consider blocking the executable in their endpoint protection software or AV if possible. The following hashes should be added to the appropriate blocklist:
- ECA9FAC6848545FF9386176773810F96323FEFF0D575C4B6E1C55F8DB842E7FE – Rclone.exe (64 bit) SHA256
- C00CFB456FC6AF0376FBEA877B742594C443DF97 – Rclone.exe (64 bit) SHA1
- E70ED531C8A12E7ECCE83223D7B9AA1895110DC140EDF85AFC31C8C5CD580116 – Rclone.exe (32 bit) SHA256
- A1D985E13C07EDDFA2721B14F7C9F869B0D733C9 – Rclone.exe (32 bit) SHA1
Original post with full details: FBI Releases Indicators of Compromise Associated with OnePercent Group Ransomware
If you need any assistance with understanding the details within the advisory, understanding your current cybersecurity posture, your preparedness for a breach, or any other cybersecurity topic, we would love to have a discussion with you. Contact us today, and let’s chat about your environment and ways to lower your chances of becoming a victim of cybercrime.
Written By:
Ryan Kremer
Vice President, Infrastructure Solutions Group
Keller Schroeder