3 AM Ransomware Dissection
Share this:
A new ransomware strain dubbed as “3AM” has been detected in an incident that attempted to infect a victim with LockBit ransomware had been blocked.
3AM ransomware is written in the Rust programming language and is new to the threat landscape. It attempts to stop multiple services on the infected computer before it begins encrypting files. Once encryption is complete, it attempts to delete Volume Shadow copies.
The threat actors behind the attack were unknown, and they were detected using a gpresult command to dump the policy settings enforced on the computer for a specified user. The attacker also used Cobalt Strike components and attempted to escalate privileges on the targeted computer using PsExec. Various other reconnaissance commands were used, and the attacker also added a new user for persistence.
The attackers then ran reconnaissance commands such as whoami, netstat, quser, and net share, and tried to enumerate other servers for lateral movement with the quser and net view commands. They also added a new user for persistence and used the Wput tool to exfiltrate the victims’ files to their own FTP server.
Where the attack path becomes interesting is that the attackers first attempted to install LockBit ransomware, but they were blocked. The attacker then attempted to deploy 3AM instead. The attack is described as only partially successful, with the attackers only managing to deploy it on three machines on the targeted organization’s network, and it was blocked on two of those three computers.
The ransomware will then scan the disk, and any files matching predefined criteria are encrypted, and the original files are deleted. 3AM is so-called because it appends encrypted files with the extension .threeamtime. The malware will then create the file “RECOVER-FILES.txt” in each scanned folder. This file contains the ransom note.
The encrypted files contain a marker string “0x666” followed by the data appended by the ransomware.
The researchers note that the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it may be used again in the future. In general, new threat groups emerge out of the box and evade quicly with some profits.
The LockBit ransomware gang operates on a ransomware-as-a-service (RaaS) model where affiliates use already-developed ransomware to execute attacks. LockBit has regularly been one of the most prolific ransomware groups online since emerging in 2020 and was named the most active threat actor in January.
This research was documented by researchers from Symantec Threat Analysis Group.
Indicators of Compromise
- 079b99f6601f0f6258f4220438de4e175eb4853649c2d34ada72cce6b1702e22
- 307a1217aac33c4b7a9cd923162439c19483e952c2ceb15aa82a98b46ff8942e
- 680677e14e50f526cced739890ed02fc01da275f9db59482d96b96fbc092d2f4
- 991ee9548b55e5c815cc877af970542312cff79b3ba01a04a469b645c5d880af
- ecbdb9cb442a2c712c6fb8aee0ae68758bc79fa064251bab53b62f9e7156febc
- 185.202.0[.]111
- 212.18.104[.]6
- 85.159.229[.]62
