A 3AM ransomware affiliate is conducting very highly targeted cyberattacks against corporate environments. These attackers often use email bombing and also spoofed IT support phone calls. This voice phishing socially engineers employees into giving up their valuable remote access credentials. This specific attack tactic was previously linked to the notorious Black Basta ransomware gang. It was also later observed being used in various sophisticated FIN7 cybercrime group attacks. Its proven effectiveness has unfortunately driven a much wider adoption among other threat actors. Sophos reports seeing at least 55 attacks leveraging this technique between Nov 2024 and Jan 2025. The leak of Black Basta’s internal conversations helped other threat actors quickly learn it.
A recent 3AM ransomware attack targeted one of Sophos’s clients in early 2025. This particular incident used a similar approach to Black Basta but with a twist. The attackers used real phone phishing instead of relying solely on Microsoft Teams vishing. They cleverly spoofed the target company’s real IT department official phone number. This sophisticated tactic made the malicious call appear much more legitimate to the employee. This deceptive call occurred during an intense email bombing wave against the targeted user. The attacker then successfully convinced the employee to open Microsoft Quick Assist for them.
They were told to grant remote access supposedly as a response to malicious activity.
Once remote access was granted the attacker downloaded a malicious archive from a spoofed domain. This downloaded archive contained a VBS script a QEMU emulator and a Windows 7 image. The Windows 7 image was pre-loaded with the dangerous QDoor backdoor for persistent access. QEMU was specifically used to evade detection by routing network traffic through virtual machines. This allowed for persistent yet largely undetected attacker access to the corporate network. Through this access attackers performed reconnaissance using common tools like WMIC and PowerShell. They created a new local admin account to connect via Remote Desktop Protocol (RDP). A commercial remote management tool XEOXRemote was also installed for easier ongoing system access. Eventually they compromised a domain administrator account gaining even higher network privileges.
Despite Sophos blocking lateral movement 868GB of data was exfiltrated using GoodSync tool.
Sophos’s security products successfully blocked subsequent attempts to run the 3AM ransomware encryptor. Therefore damage was primarily contained to data theft and encryption of the initial compromised host. This sophisticated cyberattack lasted for a total of nine days from start to finish. The actual data theft portion was concluded by the third day of the intrusion. Sophos suggested several key defense steps that can help to block these attacks. Recommendations include auditing administrative accounts and also using effective XDR security tools. Enforcing signed scripts via PowerShell execution policies and using IoC blocklists also helps. Ultimately increasing employee awareness is crucial to block email bombing and voice phishing. The 3AM ransomware operation itself first launched in the later part of 2023. It has since been linked by researchers to the Conti and Royal ransomware gangs.
Reference:
