What is 3AM?
3AM (also known as ThreeAM) is a ransomware group that first emerged in late 2023. Like other ransomware threats, 3AM exfiltrates victims’ data (threatening to release it publicly unless a ransom is paid) and encrypts the copies left on targeted organisations’ computer systems.
So it’s the normal story with ransomware – exfiltrate, encrypt, extort?
Pretty much – but there are some notable aspects of 3AM that are worthy of mentioning.
Such as what?
The 3AM ransomware is unusual in so much it is written in Rust. The Rust programming language was probably chosen by the ransomware’s creators because it prioritises performance.
Why does speed matter?
If you have potentially millions of files to encrypt across a victim’s network, speed matters a lot. The longer you take to steal and garble your victim’s data, the greater the chance your attack might be noticed while it’s happening and disrupted.
Anything else notable about the 3AM ransomware?
The 3AM ransomware renames encrypted files so they have a “.threeamtime” extension and adds a marker string of “0x666”. It also wipes Volume Shadow copies to make recovery more difficult for victims. Furthermore, it appears that 3AM was initially developed as a “backup” for the notorious LockBit ransomware.
What do you mean by “backup”?
Not “backup” as in a “backup of your data” unfortunately but rather as a “backup plan”. It appears that 3AM would sometimes be deployed when a LockBit ransomware attack was not successfully deployed.
As I recall LockBit had connections with Russia. So is that true of 3AM too?
Yes, that’s right. The authorities have named Dmitry Khoroshev, a Russian national, as the administrator of LockBit and even offered a US $10 million reward for information leading to his arrest. The cybercriminals behind 3AM appear to have strong links to LockBit, speak Russian, and mostly target Western-affiliated countries. 3AM has also been linked to the BlackSuit ransomware.
I see. So how will I know if my systems have been attacked with the 3AM ransomware?
3AM drops a ransom note on attacked systems, warning victims that their sensitive data has been stolen and proposing “a deal” to prevent it from being sold on the dark web.Â
Who has been bit by the 3AM ransomware?
A number of organisations have fallen foul of 3 AM, including New York’s Brunsick Hospital Center, a Louisiana-based HVAC company, and the city of Hoboken. The latter of those not only saw social security numbers, driver’s licenses, payroll, health and other personal data of Hoboken workers and residents leaked, but also erotic short stories found on an employee’s computer.
Ouch! That’s embarrassing. Presumably, 3AM will release the stolen data if no payment is made?
I’m afraid that does appear to be the case. 3AM’s dark web leak site lists past victims and includes links to the sensitive stolen data.Â
So, what action should I take right now?Â
The best thing to do is to ensure that you have hardened your defences before ransomware strikes. It would be wise to follow Tripwire’s general recommendations on how to protect your organisation from ransomware. Those include:
- making secure offsite backups.
- running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
- Restrict an attacker’s ability to spread laterally through your organisation via network segmentation.
- using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
- encrypting sensitive data wherever possible.
- reducing the attack surface by disabling functionality that your company does not need.
- educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.
Stay safe, and don’t allow your organisation to be the next victim to fall foul of the 3AM ransomware group.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.