3AM Ransomware’s Deceptive Tactics
3AM ransomware, a rising threat since late 2023, targets organizations with cunning strategies. This Rust-coded malware encrypts files and steals data, demanding payment to avoid leaks. For example, it adds a “.threeamtime” extension to files. It also deletes backups, making recovery nearly impossible.
Spoofed IT Calls and Email Bombing
Attackers use spoofed IT calls and email bombing to gain access. They flood inboxes with unsolicited emails—24 in three minutes. Meanwhile, they impersonate IT staff, spoofing real phone numbers. This social engineering tactic convinces employees to grant remote access via tools like Quick Assist.
How the Attack Unfolds
The attacker tricks users into downloading a malicious archive. This archive contains a VBS script, a QEMU emulator, and a Windows 7 image with a QDoor backdoor. For instance, QEMU hides network traffic through virtual machines. Consequently, attackers maintain undetected access to the system.
Stealing Data and Evading Detection
Through PowerShell and WMIC, attackers perform reconnaissance. They create admin accounts and install remote management tools. In one case, they stole 868 GB of data using cloud storage. However, a report notes that encryption attempts were blocked, limiting further damage.
Symptoms of 3AM Infection
Infected systems show clear signs of compromise. Files become inaccessible with a “.threeamtime” extension. Security programs may stop working. Additionally, browsers might redirect to attacker-controlled sites. A ransom note, “RECOVER-FILES.txt,” demands payment in cryptocurrency.
A Growing Trend in Cybercrime
This tactic mirrors methods used by other ransomware groups. For example, similar attacks exploited Microsoft Teams for phishing. The leak of these strategies has fueled wider adoption among hackers. Therefore, organizations must stay alert to evolving threats.
Preventing 3AM Ransomware Attacks
To avoid 3AM attacks, verify IT requests before granting access. For example, confirm caller identities using official channels. Train employees to recognize phishing emails and enable multi-factor authentication. Additionally, keep backups offline and update security software regularly. These steps reduce the risk of ransomware and data theft.
Sleep well, we got you covered.
