The recently identified 3AM ransomware operation exhibits close ties to notorious groups, including the Conti syndicate and the Royal ransomware gang. Researchers from Intrinsec found significant overlaps in communication channels, infrastructure, and tactics between 3AM and the Conti syndicate. The 3AM gang has experimented with a novel extortion tactic, using Twitter bots to broadcast news of data leaks to victims’ social media followers. The group replied to high-ranking accounts, directing them to the data leak site, potentially to harm the victim’s business reputation.
Furthermore, Intrinsec discovered that 3AM ransomware likely tested this automated name-and-shame technique by spreading news of successful attacks on X (formerly Twitter). The researchers believe that an X/Twitter bot was employed to conduct this campaign, with an increased volume of replies, sometimes reaching 86 per day. Although 3AM’s intrusion sets are considered less sophisticated than the Royal group, they still pose a significant threat and could deploy numerous attacks. The Conti syndicate, the largest ransomware operation until its shutdown in May 2022, has splintered into multiple cells, with some members joining the Royal ransomware group.
The 3AM ransomware gang’s connections to the Conti syndicate and Royal group were unveiled by researchers, shedding light on its tactics and potential collaboration with other notorious entities. The use of Twitter bots for a name-and-shame campaign, targeting high-profile accounts, highlights the evolving strategies employed by ransomware groups. The Conti syndicate’s influence continues through groups like Royal, emphasizing the persistence of experienced threat actors in the cybercrime landscape. As the 3AM ransomware operation gains attention, the intricate web of affiliations and tactics within the ransomware ecosystem becomes increasingly complex and challenging to trace.