Cybersecurity researchers recently discovered “3AM,” a new ransomware variant.
The name 3AM comes from the ransom notes it leaves on victims’ systems. This new threat was discovered in a case where threat actors initially attempted to deploy the popular LockBit ransomware, but were unsuccessful.
While the data is at 3 a.m. Ransomware still remains rare due to the limited number of cases where its deployment has been observed; all indications point to it being used as a backup variant deployed by ransomware affiliates when LockBit and other known variants fail to compromise the target system(s).
Potential contingency in case of failed LockBit attacks?
Currently, researchers are basing this hypothesis primarily on an isolated incident in which LockBit was observed to be deployed but could not be executed due to comprehensive security measures established by the intended target.
The threat actor, who is believed to be an affiliate of the ransomware at this point, then attempted to use 3AM ransomware as an alternative vector to compromise the target.

Characteristics of 3AM ransomware
Unlike most ransomware variants, 3AM is coded in the Rust programming language and does not currently appear to be affiliated with any known ransomware groups.
Its specific targets are backup and security services like Veeam, Ivanti and McAfee, with the express aim of disabling them before initiating file encryption on the targeted systems.
3AM Extortion and Negotiation Techniques Platform
3AM uses fairly standard extortion techniques, typical of most ransomware variants. The target data is initially exfiltrated to the threat actor, and then the exfiltrated files are further encrypted.
Victims will be greeted with a ransom demand when logging in or attempting to open the aforementioned encrypted files, with the note stating that their data will be auctioned if the demanded ransom is not paid.
Likewise, 3AM also has a fairly basic Tor trading network, which victims can access using the password given in the ransom note. Although quite rudimentary and standard for most Ransomware groupsThis step adds an extra layer of security for the threat actor when it comes to the ransom negotiation/payment step.
3AM ransomware command line parameters
3AM ransomware works based on various command line parameters, each serving a unique purpose. We’ve listed them below, along with the purpose they serve:
• “-k”: This requires a 32-character Base64 string, typically the “access key” of the ransom note.
• “-p” and “-h”: the functionalities of these parameters remain to be identified.
• “-m”: This specifies the operational method, which can be “local” or “net”.
• “-s”: This controls the speed of the encryption process by determining offsets in files.
Evasion, reconnaissance and persistence methods used
The threat actor first deployed the “gpresult” command to obtain the policy settings applied for a particular user on the device. Additionally, the attacker executed several Cobalt Strike Modules and attempted to increase their level of access to the machine using PsExec.
The 3AM ransomware used several techniques to evade detection, such as integrating Cobalt Strike components and running privilege escalation tools like PsExec. For recognition purposes, it implements commands like “netstat”, “whoami” and “net share”.
After their first attempt to use LockBit ransomware failed, the attackers moved in around 3 a.m. Only a small part of the use of 3AM has proven successful. On the organization’s network, the attackers were only able to deploy malware on three machines before two of them prevented it.
3AM also attempts to establish persistence on compromised systems by creating a new user account to ensure that the decryption and data recovery processes do not work, and the ransom must be paid so that victims can regain access to their data.
Conclusion: a nascent threat that has not yet hatched?
New ransomware families appear all the time, but the majority of them disappear immediately or never catch on. But given that a LockBit affiliate used 3AM as a fallback, it’s possible that attackers are still interested in it and could reappear in the future.
3AM is a relatively new variant in the ransomware game with a quiet impact. This is due in part to the low number of systems that have been confirmed to fall victim to this variant (researchers have only identified 3 victims so far, and mitigation efforts managed to prevent 2 of them from being encrypted). before 3 a.m.).
While this may be a good sign, indicating that 3 a.m. can be countered with standard mitigation and security protocols, its use as a backup to the famous LockBit ransomware variant will surely give it credibility among ransomware operators and their affiliates.
We anticipate further development and refinement of 3AM in the near future for these reasons, making it a threat to watch.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only and users take full responsibility for their reliance on it. The Cyber Express assumes no responsibility for the accuracy or consequences of the use of this information.
Related
!function(f,b,e,v,n,t,s) {if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)}; if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0'; n.queue=();t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)(0); s.parentNode.insertBefore(t,s)}(window, document,'script', 'https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '5969393309772353'); fbq('track', 'PageView');
(function(c,l,a,r,i,t,y){ c(a)=c(a)||function(){(c(a).q=c(a).q||()).push(arguments)}; t=l.createElement(r);t.async=1;t.src="https://www.clarity.ms/tag/"+i; y=l.getElementsByTagName(r)(0);y.parentNode.insertBefore(t,y); })(window, document, "clarity", "script", "f1dqrc05x2");