Threat Research

3AM: New Ransomware Family Used As Fallback in Failed LockBit Attack

Securonix

3AM is a newly identified Rust-based ransomware family that appeared as a fallback after a LockBit deployment was blocked, with limited spread. The campaign shows initial use of gpresult, Cobalt Strike, and PsExec for discovery and persistence, followed by encryption and Tor-based ransom negotiation; the attackers claim data theft and potential Dark Web leakage. #3AM #LockBit #Rust #CobaltStrike #PsExec #Wput #DarkNet #DarkWeb

Keypoints

  • 3AM is a new Rust-based ransomware family observed in a limited attack, used as a fallback after LockBit was blocked.
  • The attackers used gpresult, Cobalt Strike, and PsExec for initial access and privilege escalation, plus discovery commands like whoami and netstat.
  • They added a new user for persistence and used the Wput tool to exfiltrate data to an FTP server.
  • Encryption targets files on the network, appends .threeamtime to encrypted files, creates RECOVER-FILES.txt ransom notes, and marks data with 0x666.
  • 3AM attempted to disable or stop security and backup tools, including firewall rules and VSS backups, and used extensive net stop commands against backup tools.
  • The campaign’s ransom notes and Tor-based contact imply extortion and possible data sale on Dark Web; they claimed not to leak data unless demanded.
  • The initial deployment failed to fully propagate, reaching only three machines with two blocked, indicating limited impact so far.

MITRE Techniques

  • [T1082] System Information Discovery – The threat actor used gpresult to dump policy settings; “dump the policy settings enforced on the computer for a specified user.”
  • [T1021.002] Remote Services – The attackers used PsExec to escalate privileges and enable remote execution across hosts; “tried to escalate privileges on the computer using PsExec.”
  • [T1018] Remote System Discovery – Reconnaissance commands such as whoami, netstat, quser, and net share to enumerate other servers for lateral movement; “reconnaissance commands such as whoami, netstat, quser, and net share, and tried to enumerate other servers for lateral movement with the quser and net view commands.”
  • [T1136.001] Create Account – The attackers added a new user for persistence; “added a new user for persistence.”
  • [T1041] Exfiltration – Data exfiltration via the Wput tool to an FTP server; “Wput tool to exfiltrate the victims’ files to their own FTP server.”
  • [T1486] Data Encrypted for Impact – The ransomware encrypts files, appends a marker, and deletes originals; “The ransomware will then scan the disk and any files matching predefined criteria are encrypted and the original files are deleted… The encrypted files contain a marker string ‘0x666’ followed by the data appended by the ransomware.”
  • [T1059] Command and Scripting Interpreter – The malware uses command-line parameters, including “-k” and mutual exclusivity of “-m” and “-h”; “The command-line parameters ‘-m’ and ‘-h’ are mutually exclusive… values ‘local’ and ‘net’”.
  • [T1562.004] Disable or Modify System Firewall – The malware runs commands including netsh to alter firewall rules; “netsh.exe” advfirewall firewall set rule “group=Network Discovery” new enable=Yes
  • [T1490] Inhibit System Recovery – The malware attempts to delete backups and shadow copies; “wbadmin.exe delete systemstatebackup…” and “vssadmin delete shadows /all /quiet”

Indicators of Compromise

  • [Domain] Tor onion domain used for ransom contact – threeam7[REDACTED].onion/recovery
  • [File extension] .threeamtime – extension appended to encrypted files
  • [File name] RECOVER-FILES.txt – ransom note created in each scanned folder

Read more: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit