{"id":6896,"date":"2021-08-25T16:04:34","date_gmt":"2021-08-25T23:04:34","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6896"},"modified":"2024-08-07T12:20:12","modified_gmt":"2024-08-07T19:20:12","slug":"onepercent-group-ransomware-campaign","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/onepercent-group-ransomware-campaign\/","title":{"rendered":"OnePercent Group Ransomware Campaign"},"content":{"rendered":"<h3><strong>Author: Laksh Sethi<\/strong><\/h3>\n<p>&nbsp;<\/p>\n<h3>1. Executive Summary<\/h3>\n<p>On 23 August, the Federal Bureau of Investigation (FBI) released a flash alert<sup>1<\/sup> about an ongoing campaign conducted by the OnePercent Group: a group that has been using Cobalt Strike to launch ransomware attacks against U.S. companies since November 2020. The alert also provides a list of indicators of compromise (IOCs) associated with the campaign.<\/p>\n<h3>2. Analysis<\/h3>\n<p>The actors use phishing emails with a malicious ZIP attachment that contains a Microsoft Word or Excel file. Opening the attachment activates macros that infect a victim\u2019s computer with the IcedID banking trojan.<sup>2<\/sup> When the actors activate the trojan (in some cases a month after the infection), it installs and runs Cobalt Strike, which uses PowerShell remoting to migrate laterally to other systems on the infected network. The actors then employ rclone,<sup>3<\/sup> a Windows-native backup utility, to encrypt and exfiltrate data from the victim\u2019s systems.<\/p>\n<p>Somewhere on the infected network, the actors leave a ransom note and contact information, which is a link to the actors\u2019 website accessible through the Onion Router (TOR)<sup>4<\/sup> application. The note demands that the organization pay the ransom to a Bitcoin address controlled by the group. The note also states that the actors will provide the decryption key within 48 hours of receiving the payment they have demanded.<\/p>\n<p>After the actors contact the organization, they wait for a week, and then proceed to barrage the organization with phone calls and emails. In addition, they repeatedly demand that the person who initially opened the attachment connect them with the organization\u2019s designated negotiator. If the organization does not respond within a week, the actors send ProtonMail email and make calls from spoofed phone numbers to warn the organization that unless the ransom is paid, the exfiltrated data will be leaked via the TOR network and clearnet. If the organization fails to respond, the actors start leaking the exfiltrated data in small increments, until they receive a response or payment.<br \/>\nThe actors use the following tools:<\/p>\n<ul>\n<li>AWS S3 cloud<\/li>\n<li>IcedID<\/li>\n<li>Cobalt Strike<\/li>\n<li>PowerShell<\/li>\n<li>rclone<\/li>\n<li>Mimikatz<sup>5<\/sup><\/li>\n<li>SharpKatz<sup>6<\/sup><\/li>\n<li>BetterSafetyKatz<sup>7<\/sup><\/li>\n<\/ul>\n<h3>3. Prevention and Mitigation<\/h3>\n<p>The following measures should help prevent or mitigate an attack by the OnePercent Group:<\/p>\n<ul>\n<li>Implement a filter against and be suspicious of all hashes that might be associated with rclone (see the IOCs in the table below).<\/li>\n<li>Ensure that administrators are not using Admin Approval mode.<\/li>\n<li>Implement Microsoft Local Administrator Password Solution (LAPS), if possible.<\/li>\n<li>Ensure that copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from a compromised network.<\/li>\n<li>Secure backups, and ensure that original data cannot be accessed, modified, or deleted.<\/li>\n<li>Keep computers, devices, and applications patched and up to date.<\/li>\n<li>Consider adding an email banner to email received from outside your organization.<\/li>\n<li>Disable unused remote access and Remote Desktop Protocol (RDP) ports, and monitor remote access and RDP logs.<\/li>\n<li>Audit administrative user accounts regularly.<\/li>\n<li>When configuring access controls, apply the principle of least privilege (PoLP).<\/li>\n<li>Implement network segmentation.<\/li>\n<li>Use multi-factor authentication with strong passphrases.<\/li>\n<\/ul>\n<h3>4. Indicators of Compromise<\/h3>\n<p>The FBI believe that the following IOCs are linked to this conduct:<\/p>\n<table>\n<tbody>\n<tr>\n<th style=\"border: 1px solid black; background-color: lightgray;padding-top:10px;text-align:center;\">Indicators<\/th>\n<th style=\"border: 1px solid black; background-color: lightgray;padding-top:10px;padding-right:10px;text-align:center;\">Description<\/th>\n<\/tr>\n<tr>\n<td>157[.]245[.]239[.]187<br \/>\n80[.]82[.]67[.]221<br \/>\n167[.]71[.]224[.]39<br \/>\n31[.]187[.]64.[.]199<br \/>\n134[.]209[.]203[.]30<br \/>\n138[.]197[.]179[.]153<br \/>\n206[.]189[.]227[.]145<\/td>\n<td>Related IPs<\/td>\n<\/tr>\n<tr>\n<td>june85[.]cyou<br \/>\ngolddisco[.]top<br \/>\nintensemisha[.]cyou<br \/>\ndelokijio[.]pw<br \/>\nbiggarderoub[.]cyou<br \/>\nd30qpb9e10re4o[.]cloudfront[.]net<br \/>\nnix1[.]xyz<\/td>\n<td>Related domains<\/td>\n<\/tr>\n<tr>\n<td>ECA9FAC6848545FF9386176773810F96323FEFF0D575C4B6E1C55F8DB842E7FE<br \/>\nE70ED531C8A12E7ECCE83223D7B9AA1895110DC140EDF85AFC31C8C5CD580116<\/td>\n<td>Related hashes<\/td>\n<\/tr>\n<tr>\n<td>hxxp:\/\/5mvifa3xq5m7sou3xzaajfz7h6eserp5fnkwotohns5pgbb5oxty3zad[.]onion<\/td>\n<td>TOR URL<\/td>\n<\/tr>\n<tr>\n<td>bc1qds0yly3fn608gtm332gag029munvlute2wxktn<\/td>\n<td>BTC address<\/td>\n<\/tr>\n<tr>\n<td>1percentransomware@protonmail[.]com<\/td>\n<td>Email address<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Endnotes<\/h3>\n<ol>\n<li><a href=\"https:\/\/www.ic3.gov\/Media\/News\/2021\/210823.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.ic3.gov\/Media\/News\/2021\/210823.pdf<\/a><\/li>\n<li><a href=\"https:\/\/www.cisecurity.org\/white-papers\/security-primer-icedid\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.cisecurity.org\/white-papers\/security-primer-icedid\/<\/a><\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Rclone\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/en.wikipedia.org\/wiki\/Rclone<\/a><\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Tor_(network)\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/en.wikipedia.org\/wiki\/Tor_(network)<\/a><\/li>\n<li><a href=\"https:\/\/doubleoctopus.com\/security-wiki\/threats-and-tools\/mimikatz\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/doubleoctopus.com\/security-wiki\/threats-and-tools\/mimikatz\/<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/b4rtik\/SharpKatz\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/github.com\/b4rtik\/SharpKatz<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/Flangvik\/BetterSafetyKatz\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/github.com\/Flangvik\/BetterSafetyKatz<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/cobbr\/SharpSploit\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/github.com\/cobbr\/SharpSploit<\/a><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Author: Laksh Sethi &nbsp; 1. Executive Summary On 23 August, the Federal Bureau of Investigation (FBI) released a flash alert1 about an ongoing campaign conducted by the OnePercent Group: a group that has been using Cobalt Strike to launch ransomware attacks against U.S. companies since November 2020. The alert also provides a list of indicators [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":6722,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[554],"tags":[236,488,294,40,189],"class_list":{"0":"post-6896","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-threat-advisory","8":"tag-cyberthreat","9":"tag-cyberthreat-intelligence-report","10":"tag-malspam","11":"tag-threat-intelligence","12":"tag-cybersecurity","13":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>OnePercent Group Using Cobalt Strike to Launch Ransomware | Cyber Threat Advisory<\/title>\n<meta name=\"description\" content=\"The FBI released a flash alert for an ongoing campaign conducted by the OnePercent Group to launch ransomware attacks against U.S. companies since November 2020.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/onepercent-group-ransomware-campaign\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"OnePercent Group Ransomware Campaign\" \/>\n<meta property=\"og:description\" content=\"The FBI released a flash alert for an ongoing campaign conducted by the OnePercent Group to launch ransomware attacks against U.S. companies since November 2020.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/onepercent-group-ransomware-campaign\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-25T23:04:34+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-08-07T19:20:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-33.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"408\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/onepercent-group-ransomware-campaign\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/onepercent-group-ransomware-campaign\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"OnePercent Group Ransomware Campaign\",\"datePublished\":\"2021-08-25T23:04:34+00:00\",\"dateModified\":\"2024-08-07T19:20:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/onepercent-group-ransomware-campaign\\\/\"},\"wordCount\":660,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/onepercent-group-ransomware-campaign\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-33.jpg\",\"keywords\":[\"Cyberthreat\",\"Cyberthreat intelligence report\",\"Malspam\",\"Threat Intelligence\",\"Cybersecurity\"],\"articleSection\":[\"Cyber Threat Advisory\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/onepercent-group-ransomware-campaign\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/onepercent-group-ransomware-campaign\\\/\",\"name\":\"OnePercent Group Using Cobalt Strike to Launch Ransomware | Cyber Threat Advisory\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/onepercent-group-ransomware-campaign\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/onepercent-group-ransomware-campaign\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-33.jpg\",\"datePublished\":\"2021-08-25T23:04:34+00:00\",\"dateModified\":\"2024-08-07T19:20:12+00:00\",\"description\":\"The FBI released a flash alert for an ongoing campaign conducted by the OnePercent Group to launch ransomware attacks against U.S. companies since November 2020.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/onepercent-group-ransomware-campaign\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/onepercent-group-ransomware-campaign\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/onepercent-group-ransomware-campaign\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-33.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-33.jpg\",\"width\":612,\"height\":408,\"caption\":\"Big data and hacking concept. Back view of hacker at desktop using creative digital numbers mesh on blurry bokeh background. Multiexposure\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/onepercent-group-ransomware-campaign\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Threat Advisory\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/cyber-threat-advisory\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"OnePercent Group Ransomware Campaign\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"OnePercent Group Using Cobalt Strike to Launch Ransomware | Cyber Threat Advisory","description":"The FBI released a flash alert for an ongoing campaign conducted by the OnePercent Group to launch ransomware attacks against U.S. companies since November 2020.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/onepercent-group-ransomware-campaign\/","og_locale":"en_US","og_type":"article","og_title":"OnePercent Group Ransomware Campaign","og_description":"The FBI released a flash alert for an ongoing campaign conducted by the OnePercent Group to launch ransomware attacks against U.S. companies since November 2020.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/onepercent-group-ransomware-campaign\/","og_site_name":"Infoblox Blog","article_published_time":"2021-08-25T23:04:34+00:00","article_modified_time":"2024-08-07T19:20:12+00:00","og_image":[{"width":612,"height":408,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-33.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/onepercent-group-ransomware-campaign\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/onepercent-group-ransomware-campaign\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"OnePercent Group Ransomware Campaign","datePublished":"2021-08-25T23:04:34+00:00","dateModified":"2024-08-07T19:20:12+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/onepercent-group-ransomware-campaign\/"},"wordCount":660,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/onepercent-group-ransomware-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-33.jpg","keywords":["Cyberthreat","Cyberthreat intelligence report","Malspam","Threat Intelligence","Cybersecurity"],"articleSection":["Cyber Threat Advisory"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/onepercent-group-ransomware-campaign\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/onepercent-group-ransomware-campaign\/","name":"OnePercent Group Using Cobalt Strike to Launch Ransomware | Cyber Threat Advisory","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/onepercent-group-ransomware-campaign\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/onepercent-group-ransomware-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-33.jpg","datePublished":"2021-08-25T23:04:34+00:00","dateModified":"2024-08-07T19:20:12+00:00","description":"The FBI released a flash alert for an ongoing campaign conducted by the OnePercent Group to launch ransomware attacks against U.S. companies since November 2020.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/onepercent-group-ransomware-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/onepercent-group-ransomware-campaign\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/onepercent-group-ransomware-campaign\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-33.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-33.jpg","width":612,"height":408,"caption":"Big data and hacking concept. Back view of hacker at desktop using creative digital numbers mesh on blurry bokeh background. Multiexposure"},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/onepercent-group-ransomware-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Cyber Threat Advisory","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/cyber-threat-advisory\/"},{"@type":"ListItem","position":4,"name":"OnePercent Group Ransomware Campaign"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6896","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=6896"}],"version-history":[{"count":9,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6896\/revisions"}],"predecessor-version":[{"id":6937,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6896\/revisions\/6937"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/6722"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=6896"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=6896"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=6896"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}