A new ransomware family called 3AM has been discovered. It is written in Rust and appears to be completely new, unrelated to any known ransomware family. 3AM is so-called because it appends encrypted files with the extension .threeamtime.
3AM attempts to stop multiple services on the infected computer before it begins encrypting files. Once encryption is complete, it attempts to delete Volume Shadow (VSS) copies. It also appears to steal data before encrypting it and threatens to sell the stolen data if the ransom is not paid.
3AM was first observed being used by a ransomware affiliate that attempted to deploy LockBit on a target's network but switched to 3AM when LockBit was blocked. The use of 3AM was only partially successful. The attackers only managed to deploy it to three machines on the organization's network and it was blocked on two of those three computers.
Researchers symantec believe that 3AM is likely to attract the interest of other attackers and could be seen more often in the future. This is because it was used as a fallback by a LockBit affiliate, which suggests that it is capable of bypassing some defenses.
How to protect yourself from 3AM ransomware
Organizations can protect themselves from 3AM and other ransomware attacks by implementing layered security controls, including:
- Keeping software up to date
- Using strong passwords and multi-factor authentication
- Educating employees about cybersecurity best practices
- Backing up data regularly and testing backups to ensure they can be restored
- Using security solutions that can detect and block ransomware attacks
Additional information about 3AM ransomware
- 3AM is a newly developed ransomware written in Rust, and operates as a 64-bit executable with the capability to execute multiple commands. These commands can halt applications, obstruct backup processes, and disable security software.
- 3AM encrypts files that meet predefined criteria, and adds the extension “.threeamtime” to the filenames of the compromised files. It also tries erasing Volume Shadow (VSS) copies.
- Following encryption, the ransomware generates a TXT file named “RECOVER-FILES” in each scanned folder, containing the ransom note. The note threatens to sell the victim's stolen data if the ransom is not paid.
- In a failed LockBit attack, threat actors deployed the 3AM ransomware on three computers within the target organization’s network. However, their attempts were again thwarted on two of these machines.
- The precise entry point used in the attack remains unclear. However, researchers observed the attackers employing the post-exploitation tool Cobalt Strike and initiating reconnaissance commands such as “whoami,” “netstat,” “quser,” and “net share” to facilitate lateral movement. To maintain persistence, the attackers added a new user. They then utilized the Wput tool to exfiltrate files to their FTP server.
- After a successful attack, the attackers await contact from the victims. There is a TOR support portal for 3AM, which is used to negotiate on ransom payments with victims.
Conclusion
3AM is a new ransomware family that is likely to attract the interest of other attackers and could be seen more often in the future. Organizations can protect themselves from 3AM and other ransomware attacks by implementing layered security controls, including keeping software up to date, using strong passwords and multi-factor authentication, educating employees about cybersecurity best practices, backing up data regularly, and using security solutions that can detect and block ransomware attacks.
Indicators of Compromise
SHA256 file hashes:
079b99f6601f0f6258f4220438de4e175eb4853649c2d34ada72cce6b1702e22 – LockBit
307a1217aac33c4b7a9cd923162439c19483e952c2ceb15aa82a98b46ff8942e – 3AM
680677e14e50f526cced739890ed02fc01da275f9db59482d96b96fbc092d2f4 – Cobalt Strike
991ee9548b55e5c815cc877af970542312cff79b3ba01a04a469b645c5d880af – Cobalt Strike
ecbdb9cb442a2c712c6fb8aee0ae68758bc79fa064251bab53b62f9e7156febc – Cobalt Strike
Network indicators:
185.202.0[.]111
212.18.104[.]6
85.159.229[.]62
0 Comments