FBI warns of ransomware group that infects victims via macros


The FBI has issued a warning against a ransomware group called "OnePercent" that infects organizations via macros in Word and Excel documents. According to the American investigative service, the group has been responsible for ransomware attacks against American organizations since November 2020 ( pdf ).


The attack starts with a zip file sent via email. This zip file again contains a Word or Excel document with a malicious macro. When the recipient opens the zip file and activates the macro in the document, the system is infected with IcedID trojan. Cobalt Strike is then downloaded via this malware.


Cobalt Strike is a tool for performing penetration tests on systems and networks. However, it is also used by attackers to further compromise attacked organizations. OnePercent uses Cobalt Strike to move laterally through the attacked organization's network. Once sensitive information is found, the attackers use the program rclone to steal this data.


After the data theft comes the rollout of the ransomware, which encrypts all files on infected systems. The attackers then use spoofed phone numbers to call the affected organization, the FBI said. The attackers also demand to speak to a regular negotiator or they threaten to publish the stolen data.


The FBI gives organizations various pieces of advice on how to protect themselves, including the use of the rclone program. This allows organizations to pay attention to the different hashes of the software. This is followed by generic advice, such as making offline backups, patching systems, implementing network segmentation and using multi-factor authentication.

Previous Post Next Post