New 3AM Ransomware Emerges as LockBit Attack Fallback

A novel ransomware variant known as “3AM” has come to light following an unsuccessful LockBit ransomware attack on a target network. Researchers have disclosed that this malware is still relatively rare and has been used only sparingly.

It emerged as a contingency plan for a ransomware affiliate when their attempt to deploy LockBit was thwarted by defensive mechanisms.

Instances of 3AM ransomware attacks are infrequent, with researchers reporting encountering it in just a single incident. In this particular case, the ransomware affiliate turned to 3AM as an alternative due to their inability to execute the LockBit ransomware.

The 3AM ransomware attack, which occurred around February during what seems to be its initial launch phase, involved data theft before encryption.

Subsequently, a ransom note was dropped, containing threats to sell the stolen information unless the ransom was paid.

The operation behind 3AM maintains a rudimentary negotiation site on the Tor network. This site merely grants access to a negotiation chat window based on a passkey provided within the ransom note.

Notably, 3AM is coded in Rust and appears to have no direct ties to any known ransomware family, marking it as an entirely new malware strain.

Before commencing file encryption, 3AM attempts to halt multiple services running on the compromised system, primarily targeting security and backup products from vendors such as Veeam, Acronis, Ivanti, McAfee, and Symantec.

Upon successful encryption, files receive a “.THREEAMTIME” extension, and the malware makes an effort to delete Volume Shadow copies to hinder data recovery.

The researchers observed that a 3AM ransomware attack is preceded by the execution of a “gpresult” command, which retrieves the system’s policy settings for a specific user.

Further investigation revealed the use of various commands typically associated with reconnaissance activities, such as “whoami,” “netstat,” “quser,” and “net share.” The threat actor also engaged in server enumeration (“quser,” “net view”), added a new user for persistence, and employed the outdated wput FTP client to transfer files to the attacker’s server.

While new ransomware families frequently emerge, only a few attain enough prominence to establish stable operations. Given that 3AM was utilized as an alternative to LockBit, it may pique the interest of other attackers and become more prevalent in future attacks.

However, despite its status as a new threat, which often evades detection more effectively, 3AM achieved only partial success in the Symantec-investigated attack.

The threat actor managed to deploy the malware on just three machines within the targeted organization, and its activity was effectively halted on two of those systems, underscoring the presence of existing defenses against it.