The FBI warned that the threat actor dubbed "OnePercent Group" has been leveraging Cobalt Strike to launch ransomware attacks targeted at various organizations in the U.S. since last November, BleepingComputer
"OnePercent Group actors encrypt the data and exfiltrate it from the victims' systems. The actors contact the victims via telephone and email, threatening to release the stolen data through The Onion Router (TOR) network and clearnet, unless a ransom is paid in virtual currency," the FBI
said in a flash alert.
The FBI said that OnePercent Group has been deploying the IcedID banking trojan on targets' systems through phishing email attachments. Cobalt Strike will be downloaded and installed after initial trojan infection, and OnePercent Group will proceed to file encryption after maintaining network access for up to a month. The FBI added that OnePercent Group is also threatening to expose stolen data using spoofed phone numbers.
"When a victim company does not respond, the actors send subsequent threats to publish the victim company's stolen data via the same ProtonMail email address," said the FBI.