Cybersecurity researchers have recently discovered “3AM”, a new variant of ransomware.
The name 3AM comes from the ransom notes it leaves on victims’ systems. This new threat was discovered in an instance where Threat Actors initially attempted to deploy the well-known LockBit ransomware but were unsuccessful.
While data on 3AM ransomware still remains scarce due to the limited instances where it has been observed being deployed; all indications point towards it being used as a backup variant deployed by ransomware affiliates when LockBit and other known variants are unsuccessful in compromising the target system(s).
Potential Contingency for failed LockBit attacks?
Currently, researchers are basing this assumption mostly basis an isolated incident where LockBit was oberseved to be deployed but failed to execute due to comprehensive security measures established by the intended target.
The Threat Actor, who is presumed to be a ransomware affiliate at this point, then attempted to use 3AM ransomware as an alternative vector to compromise the target.
Characteristics of 3AM Ransomware
Unlike most ransomware variants, 3AM is coded in the Rust programming language and does not seem to be affiliated with any known ransomware groups at this point.
Its specific targets are backup and security services like Veeam, Ivanti, and McAfee, with the express aim of disabling them prior to initiating file encryption on targeted systems.
3AM’s Extortion Techniques and Negotiation platform
3AM uses fairly standard extortion techniques typical to most ransomware variants. The target data is initially exfiltrated to the Threat Actor, and the exfiltrated files are then encrypted.
Victims will be greeted with a ransom note upon login or trying to open the aforementioned encrypted files, wherein the note states that their data will be auctioned if the demanded ransom is not paid.
Similarly, 3AM also has a fairly basic Tor Negotiation network, which victims can access using the passkey given in the ransom note. While fairly rudimentary and standard for most Ransomware groups, this step adds an extra layer of security for the Threat Actor when it comes to the negotiation/ransom payment stage.
Command-Line Parameters of the 3AM Ransomware
3AM ransomware operates based on various command-line parameters, each with a unique purpose. We have listed them below, along with the purpose they serve:
• “-k”: This requires a 32-character Base64 string, typically the “access key” from the ransom note.
• “-p” and “-h”: The functionalities of these parameters are yet to be identified.
• “-m”: This specifies the operational method, which can be either “local” or “net.”
• “-s”: This controls the speed of the encryption process by determining offsets within files.
Evasion, Reconnaissance, and Persistence methods employed
The threat actor first deployed the “gpresult” command to obtain the enforced policy settings for a particular user on the device. Additionally, the attacker ran several Cobalt Strike modules and attempted to increase their level of access to the machine by utilizing PsExec.
3AM ransomware used multiple techniques to evade detection, such as incorporating Cobalt Strike Components and running privilege escalation tools like PsExec. For reconnaissance purposes, it implements commands like “netstat”, “whoami”, and “net share”.
After their initial attempt to employ LockBit ransomware was unsuccessful, the attackers turned to 3AM. Only a small portion of the utilization of 3AM proved successful. On the organization’s network, the attackers were only able to deploy malware to three machines before two of them prevented it.
3AM also tries to establish persistence on compromised systems by creating a new user account to ensure decryption and data recovery processes do not work, and the ransom needs to be paid for victims to regain access to their data.
Conclusion: A Budding Threat Yet To Bloom?
New ransomware families emerge constantly, but the majority either vanish just as soon or never manage to establish much traction. But given that a LockBit affiliate utilized 3AM as a fallback, it’s possible that attackers are still interested in it and that it will show up again in the future.
3AM is a relatively new variant in the ransomware game with a muted impact. This is partly due to the low number of systems that have been confirmed victims of this variant (researchers have identified just 3 victims at the moment, and mitigation efforts managed to prevent 2 of them from encryption by 3AM).
While this can be a good sign, indicating that 3AM can be countered with standard mitigation and security protocols, its usage as a backup to the notorious LockBit ransomware variant will surely give it credibility amongst ransomware operators and affiliates.
We expect further development and refinement of 3AM in the near future due to these reasons, making it a threat to watch out for.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
