Hackers use new 3AM ransomware as an emergency LockBit fallback

A new ransomware strain called 3AM has been uncovered after a threat actor used it in an attack that failed to deploy LockBit ransomware on a target network.

Researchers say in a report today that the new malware “has only been used in a limited fashion” and it was a ransomware affiliate’s fallback when defense mechanisms blocked LockBit.

Rare occurrence

Symantec’s Threat Hunter Team, part of Broadcom, says that attacks using 3AM ransomware are rare, saying that they only saw it in a single incident when a ransomware affiliate switched to it because they could not deploy LockBit.

BleepingComputer is aware of a 3AM ransomware attack that occurred in February, around the time the operation appears to have launched, but could not obtain a sample for analysis.

3AM ransomware extortion follows the common trend of stealing data before encrypting it and dropping a ransom note threatening to sell the stolen information unless the attacker gets paid.

Below is a redacted copy of the ransom note text enclosed in a file named 'RECOVER-FILES.txt' that is present in every folder that the malware scans:

Hello. "3 am" The time of mysticism, isn't it?

All your files are mysteriously encrypted, and the systems "show no signs of
life", the backups disappeared. But we can correct this very quickly and return
all your files and operation of the systems to original state.

All your attempts to restore data by himself will definitely lead to their
damage and the impossibility of recovery. We are not recommended to you to
do it on our own!!! (or do at your own peril and risk).


There is another important point: we stole a fairly large amount of sensitive
data from your local network: financial documents; personal information of your
employees, customers, partners; work documentation, postal correspondence and
much more.

We prefer to keep it secret, we have no goal to destroy your business.
Therefore can be no leakage on our part.

We propose to reach an agreement and conclude a deal.


Otherwise, your data will be sold to DarkNet/DarkWeb. One can only guess how
they will be used.

Please contact us as soon as possible, using Tor-browser:
http://threeamxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.onion/recovery

Access key:
xxx

The operation has a very basic negotiation site on the Tor network that only provides access to a negotiation chat window based on a passkey provided in the ransom note.

Pre-encryption attack signals

Symantec’s Threat Hunter Team says that 3AM is written in Rust and appears to be unrelated to any known ransomware family, making it a completely new malware.

Before starting to encrypt files, 3AM tries to stop multiple services running on the infected system for various security and backup products from vendors like Veeam, Acronis, Ivanti, McAfee, or Symantec.

Once the encryption process completes, files have the .THREEAMTIME extension and the malware also attempts to delete Volume Shadow copies that could be used to recover the data.

The researchers say that a 3AM ransomware attack is preceded by the use of a “gpresult” command that dumps the system’s policy settings for a specific user.

“The attacker also executed various Cobalt Strike components and tried to escalate privileges on the computer using PsExec” - Symantec Threat Hunter Team

The researchers observed the use of commands commonly used for reconnaissance (e.g. whoaminetstatquser, and net share), enumerating servers (e.g. qusernet view), adding a new user for persistence, and the use of the old wput FTP client to copy files to the attacker’s server. 

According to Symantec’s malware analysis, the 3AM Rust-based 64-bit executable recognizes the following command-line parameters:

  • "-k" - 32 Base64 characters, the "access key" in the ransom note
  • "-p" - unknown
  • "-h" - unknown
  • "-m" - method, where the code checks one of two values before running encryption logic:
    • "local"
    • "net"
  • "-s" - determines offsets within files for encryption to control encryption speed, expressed as decimal digits.

Although researchers frequently see new ransomware families, few of them gain sufficient popularity to turn into a stable operation.

Because 3AM was used as an alternative to LockBit, it is likely to attract the interest of other attackers and be used more often.

However, despite being a new threat, which is typically more likely to bypass defenses and run undetected, 3AM was only partially successful during the attack that Symantec investigated.

The researchers say that the threat actor was able to deploy the malware only on three machines of the targeted organization and its activity was blocked on two of the systems, showing that there already are defenses against it.

Symantec’s report shares a set of file hashes for the LockBit and 3AM samples, as well as the Cobalt Strike components used in the attack and network indicators.

Related Articles:

New Qilin ransomware encryptor features stronger encryption, evasion

Police arrest four suspects linked to LockBit ransomware gang

New ShrinkLocker ransomware decryptor recovers BitLocker password

Attacks on Citrix NetScaler systems linked to ransomware actor

New Ymir ransomware partners with RustyStealer in attacks