Cybersecurity Snapshots - 3AM Ransomware

By aekwall 

A new ransomware family called 3AM emerged in September 2023. Security researchers say that 3AM is written in Rust. According to security researchers at Broadcom, the ransomware functions as a 64-bit executable designed to disrupt applications, backup systems, and security software. It targets specific files, renames them with a ".threeamtime" extension, and aims to eliminate Volume Shadow copies, showcasing its destructive capabilities. So far, 23 victims have been posted to the group's leak site.

According to security researchers at SOCRadar 3AM begins its operation by using the "gpresult" command to extract policy settings from the target system. This is followed by a reconnaissance phase involving various commands for network and server enumeration, establishing persistence, and data exfiltration using tools like the Wput FTP client. The researchers noted that the malware is also known to employ command-line parameters for targeted operations, which include specifying the encryption method and controlling the encryption speed. 3AM conducts double extortion where the group exfiltrates and encrypts the data, then threatens to sell the data if not paid a ransom. The group has been recently seen testing a new extortion technique using automated X (formerly Twitter) bots to pressure victims. Researchers at Intrisec noted that the group was using automated replies on X to broadcast news of their successful attacks. The researchers said this tactic was likely employed to spread the news of the attacks and subsequent data leaks and damage the victim businesses' reputations.

According to new research by security researchers at Intrisec, there are notable links between 3AM, Conti, and Royal ransomware gangs, suggesting some association between the three gangs. The researchers noted that their analysis of the 3AM ransomware revealed "a significant overlap" in communication channels, infrastructure, and tactics, techniques, and procedures (TTPs) between 3AM and the Conti syndicate. The researchers also found that 3AM used a Cobalt Strike-deploying PowerShell script, a SOCKS4 proxy on TCP port 8000, and a TLS certificate from a machine linked to Royal ransomware attacks in 2022.

The rise of new ransomware groups highlights cyber threats' dynamic and ever-changing nature. The continuous increase in new ransomware groups underscores the importance of constant vigilance and adaptive defense strategies. As cybercriminals evolve, so must our approaches to cybersecurity, ensuring preparedness for both current and emerging threats. 

To see previous articles, please visit the Cybersecurity Snapshots Archive.