The Record: “The US Federal Bureau of Investigations has published today its first-ever public advisory detailing the modus operandi of a “ransomware affiliate.” A relatively new term, a ransomware affiliate refers to a person or group who rents access to Ransomware-as-a-Service (RaaS) platforms, orchestrates intrusions into corporate networks, encrypt files with the “rented ransomware,” and then earn a commission from successful extortions. Going by the name of OnePercent Group, the FBI said today this threat actor has been active since at least November 2020. Per the FBI report [PDF], historically, the group has primarily relied on the following tactics for its attacks:
- Used phishing email campaigns to infect victims with the IcedID trojan.
- Used the IcedID trojan to deploy additional payloads on infected networks.
- Used the Cobalt Strike penetration testing framework to move laterally across a victim’s network.
- Used RClone to exfiltrate sensitive data from a victim’s servers.
- Encrypted data and demanded a ransom.
- Phoned or emailed victims to threaten to sell their stolen data on the dark web if they didn’t pay on time…”