FBI Flash TLP White: Indicators of Compromise Associated with OnePercent Group Ransomware – Aug 23, 2021

Alert Number


The FBI has learned of a cyber-criminal group who self identifies as the “OnePercent Group” and who have used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020. OnePercent Group actors compromise victims through a phishing email in which an attachment is opened by the user. The attachment’s macros infect the system with the IcedID1 banking trojan. IcedID downloads additional software to include Cobalt Strike. Cobalt Strike moves laterally in the network, primarily with PowerShell remoting.

OnePercent Group actors encrypt the data and exfiltrate it from the victims’ systems. The actors contact the victims via telephone and email, threatening to release the stolen data through The Onion Router (TOR) network and clearnet, unless a ransom is paid in virtual currency. OnePercent Group actors’ extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data. The extortion/data leak typically follows these steps: 

  • Leak Warning: After initially gaining access to a victim network, OnePercent Group actors leave a ransom note stating the data has been encrypted and exfiltrated. The note states the victim needs to contact the OnePercent Group actors on TOR or the victim data will be leaked. If the victim does not make prompt communication within a week of infection, the OnePercent Group actors follow up with emails and phone calls to the victim stating the data will be leaked.
  • One Percent Leak: If the victim does not pay the ransom quickly, the OnePercent Group actors threaten to release a portion of the stolen data to various clearnet websites.
  • Full Leak: If the ransom is not paid in full after the “one percent leak”, OnePercent Group actors threaten to sell the stolen data to the Sodinokibi Group2 to publish at an auction.

View the entire report below.

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

Senior Advisor for Cybersecurity and Risk, AHA


(O) +1 202 626 2272

Related Resources

The American Hospital Association (AHA) writes in support of the Protecting and Transforming Cyber Health Care (PATCH) Act (S.3983). AHA and its members are…
AHA Center for Health Innovation Market Scan
Health care is under attack as never before from cybercriminals, and the stakes are rising for hospitals and patient safety. The latest potential threat: The…
Advancing Health Podcast
Over the past few years every leader of health care organization in the country has had to acknowledge the threat of a cyberattack that has the potential to…
Advancing Health Podcast
In this special Cybersecurity podcast we have the opportunity to talk to leaders of an AHA member hospital who was a victim of a major ransomware attack in the…
AHA letter to Senators Jack Rosen and Bill Cassidy, M.D. voicing support of the Healthcare Cybersecurity Act (S.3904).
President Biden today urged an immediate hardening of private-sector cyber defenses “based on evolving intelligence that the Russian Government is exploring…