A series of targeted attacks utilizing email bombing, spoofed IT calls, and social engineering have been linked to the 3AM ransomware operation, causing data theft and network infiltration. These attacks mimic tactics seen in Black Basta and FIN7 campaigns, employing sophisticated evasion and remote access techniques. #BlackBasta #FIN7 #3AMransomware #QDoorbackdoor
Keypoints
- 3AM ransomware affiliates are using email flooding and spoofed IT calls to trick employees into granting remote access.
- The attack methods are inspired by, and similar to, Black Basta and FIN7 cyber campaigns.
- Attackers employed QEMU virtualization to hide malicious activity and maintain persistence within networks.
- Sophos detected exfiltration of 868 GB of data despite blocking lateral movement and encryptor deployment.
- Preventative measures include auditing accounts, using XDR tools, enforcing script policies, and increasing employee awareness.