FBI warns of ransomware gang – What you need to know about the OnePercent group

October 14, 2021  |  Theodoros Karasavvas

This blog was written by an independent guest blogger.

The FBI recently published a warning stating that ransomware gang OnePercent Group has been attacking companies in the US since November 2020. This gang of cybercriminals targets individuals within an organization with social engineering tactics designed to fool them into opening a document from a ZIP file attached to an email. Ransomware is then downloaded and the breach is underway. 

Ransomware attacks like the ones carried out by OnePercent Group have been crippling businesses across the country since the FBI first reported a 37% uptick in cybercrime in 2018. The acceleration of digital transformation has also left companies with less transparency and fewer relevant security insights as the implementation of multiple new services and systems led to widespread fragmentation. 

To protect your company and your livelihood from a financially devastating cyberattack, we’ll discuss some of the details about the OnePercent Group’s tactics so that you can identify if your company is already being targeted and how to handle an attack. 

How do hackers use social engineering?

Social engineering is a term that describes a variety of tactics that cybercriminals use to trick individuals into divulging critical information or downloading malware onto their devices. 

Although phishing scams have been around about as long as the internet, hackers like OnePercent Group still rely on social engineering to fool high level members of corporate organizations. In fact, a recent survey indicated that over 60% of executives cited phishing and ransomware as their top concerns. 

Most hackers cause cyberattacks with the intention of making money off of a company, an individual, or off of the information that they are able to get out of their victims. Social engineering helps hackers acquire confidential data faster so they can have a better chance of carrying out and completing their attacks. 

OnePercent Group attacks

OnePercent utilizes a malicious file attachment via phishing email. The group then gains access to an organization’s network. They have been known to use a Word or Excel document within a ZIP file. Once the file is downloaded, it drops a banking trojan malware application called IcedID, which then proceeds to Cobalt Strike. 

The Cobalt Strike utilizes PowerShell remoting for lateral movement within the targeted network. After that, Rclone causes the organizations data to be exfiltrated, leaving the company’s access to their data and network at the mercy of the hackers.

The ransomware gang then notifies the company that they have a week to pay them a certain dollar amount. If the ransom is not paid, then the OnePercent threatens to leak 1% of their data. If the companies still refuse to pay, then OnePercent sells the data to the Sodinokibi Group to sell at auction on the black market. 

This is especially dangerous when you take into consideration the fact that the FBI suspects that they might be working with RaaS (ransomware as a service) providers like REvil, Maze and Egregor. While the FBI did not explicitly mention that the OnePercent Group was working with any known RaaS providers, there were some signatures that have led professionals to believe that the group could be connected to other hacker groups via this type of service. 

RaaS has gained a lot of popularity. Just like other “as a service” offerings, hacker groups will offer RaaS software to other hackers for a fee. But not only do they provide cybercriminals with the means of executing a high level cyberattack, RaaS providers also offer consultations and training so that the ransomware customer can successfully infiltrate and exploit another organization for money, data, or both. 

How to spot their scam and protect yourself

Here are some best practices to prevent your organization from becoming victimized by the OnePercent ransomware gang:

Hire developers and IT experts who understand ransomware

In order for security teams to spot this deadly attack before they fully infiltrate the network, it's important that organizations hire backend web and software developers who are aware of the applications that the OnePercent Group typically exploits, according to their past attacks. 

You can expect to pay around $80 an hour for an experienced developer who is experienced in cybersecurity and well versed in the applications the OnePercent Group often exploits, including AWS S3 cloud, Cobalt Strike, and Powershell.

Encrypt all sensitive company data

Database records, system files and data stored in the cloud should all be encrypted. It’s also important that companies ensure that their vendors are encrypting their company data as well. Many of the leaks that have occurred recently have occurred because the hackers were able to easily infiltrate unencrypted files containing password files and other company data. 

Enforce regular employee phishing training

Employee education is a critical element of phishing prevention and threat detection. A recent study indicates that phishing awareness training must be repeated at least once every six months in order for employees to retain the information. Upper level management should be required to attend these training sessions as well, since those individuals are more likely to be targeted due to their higher level credentials. 

Regularly monitor the network for vulnerabilities

The best method of prevention is proactivity. Organizations that continuously identify vulnerabilities are able to patch weaknesses before hackers have the chance to exploit them. 

Additionally, penetration testing and cybersecurity consultations can help educate companies about the biggest threats to their networks and how to mitigate them before any damage is caused. Managed cybersecurity solutions are a great asset for organizations that lack IT security professionals. 

Ensure all web traffic is encrypted with SSL or TLS

Make sure that your SSL certificate is up to date and that it uses a high number of bits (2048 is recommended). As Brisbane-based web developer Nathan Finch of Best Web Hosting Australia notes, ensuring your site comes with SSL encryption is an absolute necessity in this day and age. 

“Some website builders may include SSL certification by default, or the hosting service that you will use for your website may include it as a bonus as well,” says Finch. “Either way, SSL certification is a necessity these days; you’ll know that your website has SSL certification via a padlock symbol in the address bar at the top of your browser. SSL certification is necessary to show your visitors that your website is secure and to comply with certain international regulations, like the GDPR.”


Social engineering schemes range from covert to obvious. A hacker might send an email posing as an individual or a business trying to get their target to send them money. For example, they may try to sell you something and end up taking your money and maybe your credit card information or other info. This may seem like small potatoes, but seemingly insignificant breeches often lead to larger data breaches that cause widespread damage. 

Exercising cybersecurity asset management is critical for identifying the devices, servers, and databases that are owned by an organization. Asset management makes it easy to identify IoT and others that are accessing your network’s ecosystem so that IT can investigate the potential vulnerabilities and prevent a major data breach.

Share this with others

Get price Free trial