A novel strain of ransomware known as “3AM” has surfaced, marking its presence in the cybersecurity landscape. This malware variant made its debut after being identified in a single security incident, during which an unidentified affiliate turned to 3AM following an unsuccessful attempt to deploy the Bitwise Spider AKA LockBit ransomware in a targeted network.
Notably, 3AM is coded in Rust, representing an entirely new malware family, as reported by the Symantec Threat Hunter Team, a division of Broadcom. This ransomware follows distinct modus operandi: it initiates its assault by disabling multiple services on the compromised system before proceeding to encrypt files. Once the encryption process concludes, it endeavors to erase Volume Shadow (VSS) copies, making data recovery challenging.
The name “3AM” originates from its ransom note and is further reflected in the appended file extension, “.threeamtime.” Presently, it remains uncertain whether the creators of this malware have affiliations with known cybercrime groups.
In the Symantec-monitored attack, the adversary successfully deployed 3AM on three machines within the targeted organization’s network, with countermeasures blocking its execution on two of them. This incursion stands out due to the use of Cobalt Strike for post-exploitation and privilege escalation, coupled with reconnaissance commands aimed at identifying additional servers for lateral movement. The specific entry point utilized in the attack remains undisclosed.
To maintain persistence, the threat actor introduced a new user and leveraged the Wput tool to exfiltrate victim data to their FTP server.
3AM, a 64-bit executable crafted in Rust, is designed to execute a series of commands. These commands include the termination of various security and backup-related applications, the encryption of files that meet predetermined criteria, and the removal of volume shadow copies.
While the precise origins of 3AM are shrouded in mystery, evidence suggests that the affiliate responsible for this attack may have targeted other entities. This information surfaced in a Reddit post dated September 9, 2023.
The evolving landscape of ransomware showcases increasing autonomy among ransomware affiliates, distinct from ransomware operators. While many new ransomware strains come and go swiftly, the fact that 3AM was employed as a fallback by a LockBit affiliate suggests that it may pique the interest of cybercriminals and potentially resurface in future exploits.