The Record: “The US Federal Bureau of Investigations has published today its first-ever public advisory detailing the modus operandi of a “ransomware affiliate.” A relatively new term, a ransomware affiliate refers to a person or group who rents access to Ransomware-as-a-Service (RaaS) platforms, orchestrates intrusions into corporate networks, encrypt files with the “rented ransomware,” and then earn a commission from successful extortions. Going by the name of OnePercent Group, the FBI said today this threat actor has been active since at least November 2020. Per the FBI report [PDF], historically, the group has primarily relied on the following tactics for its attacks:

• Used phishing email campaigns to infect victims with the IcedID trojan.
• Used the IcedID trojan to deploy additional payloads on infected networks.
• Used the Cobalt Strike penetration testing framework to move laterally across a victim’s network.
• Used RClone to exfiltrate sensitive data from a victim’s servers.
• Encrypted data and demanded a ransom.
• Phoned or emailed victims to threaten to sell their stolen data on the dark web if they didn’t pay on time…”