A new ransomware family called 3AM has emerged in the wild, it was discovered in an incident in which an unknown affiliate deployed the strain after a failed attempt to deploy LockBit (aka Bitwise Spider or Syrphid) into a target network.
“3AM is written in Rust and appears to be an entirely new malware family,” the Symantec Threat Hunter team, part of Broadcom, said in a report shared.
“The ransomware attempts to stop multiple services on the infected computer before it begins encrypting files. Once encryption is complete, it attempts to delete Volume Shadow (VSS) copies.”
3AM gets its name from the fact that it’s referenced in the ransom note. It also appends encrypted files with the extension .threeamtime. That said, it’s currently not known if the malware authors have any connections with known e-crime groups.
In the attack spotted by Symantec, the adversary is said to have managed to deploy the ransomware on three machines on the organization’s network, but it was blocked on only two of those machines.
This intrusion is notable for using Cobalt Strike to exploit and escalate privileges, after which reconnaissance commands are run to identify other servers for lateral movement. The exact entry route used in the attack is unclear.
“They also added a new user to Persistence and used the Wput tool to send victims’ files to their FTP server,” Symantec said.
A 64-bit executable written in Rust, 3AM is engineered to run a series of commands to stop various security and backup-related software, encrypt files matching predefined criteria, and purge volume shadow copies.
Although the exact origin of the ransomware remains unknown, according to a post shared on Reddit on September 9, 2023, there is evidence that the ransomware affiliate associated with the operation is targeting other entities.
“Ransomware affiliates have become increasingly independent from ransomware operators,” Symantec said.
“New ransomware families emerge frequently and most disappear just as quickly or never manage to gain significant traction. However, the fact that 3AM was used by a Lockbit affiliate as a fallback “This suggests that it may be of interest to attackers and may be reconsidered in the future.”
