HC3 TLP White Alert: Indicators of Compromise Associated with OnePercent Group Ransomware - August 24, 2021

Executive Summary

The FBI shared indicators of compromise (IOCs) associated with the ransomware threat actors the OnePercent Group. The OnePercent Group uses IceID-infected phishing email attachments to install ColbaltStrike and other malware on their victims’ computers. The “OnePercent Group actors’ extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data” if their ransom is not paid.

Because the OnePercent Group uses the rclone program, the FBI recommends “organizations be aware” of the hashes associated with rclone that are included in their alert. “Rclone is a command line program to manage files on cloud storage.”

Report

FBI – Flash Alert (CU-000149-MW) Indicators of Compromise Associated with OnePercent Group Ransomware
https://www.ic3.gov/Media/News/2021/210823.pdf

Impact to HPH Sector

While HC3 is not aware of any Healthcare and Public Health (HPH) Sector entities target by the OnePercent Group, IceID and ColbaltStrike malware has affected the HPH Sector in the past. Sector entities targeted by ransomware could have some or all of their data leaked if a ransom is not paid and experience disruptions to services provided to their patients and customers.

References

CISA - Additional Resources Related to the Prevention and Mitigation of Ransomware
https://www.stopransomware.gov

Rclone - About rclone
https://rclone.org/

Contact Information

If you have any additional questions, please contact us at HC3@hhs.gov.