In a recent development, a novel ransomware strain named "3AM" has surfaced, catching the attention of cybersecurity experts. A division of Broadcom uncovered this new malware during an incident investigation. Unlike previously known ransomware families, 3AM is written in Rust language, signifying its novelty in the threat landscape, making it more difficult for the researchers to decrypt the files.

According to the findings, this latest cyber attack demonstrates distinctive behavior patterns. It initiates its attack by halting multiple services on the compromised system before commencing the file encryption process. Once the encryption is completed, the ransomware attempts to erase Volume Shadow (VSS) copies, making data recovery more challenging for victims.

The malware earns its name from being referenced within the ransom note and appends the encrypted files with the "threeamtime" extension. Notably, it remains unclear whether the creators of this ransomware have ties to established cybercriminal groups.

In a documented attack observed by the team, the threat actor deployed 3AM on three machines within the target organization's network. However, security measures successfully blocked the ransomware on two of these machines.

What makes this intrusion noteworthy is the cybercriminal's use of Cobalt Strike for post-exploitation activities and privilege escalation. Following this, survey commands were executed to identify other servers for lateral movement. The specific entry point employed in the attack remains undisclosed.

Moreover, the attackers added a new user account for persistence and employed the Wput tool to exfiltrate victim files to their own FTP server.

3AM, a 64-bit executable written in Rust, systematically disables various security and backup-related software, selectively encrypts files based on predefined criteria, and purges volume shadow copies. Although the exact origins of this ransomware are unknown, evidence suggests that the affiliate involved in the attack may have targeted other entities, as indicated by a Reddit post from September 9, 2023.

The Principal Intelligence Analyst at the research team also emphasized the potential threat posed by 3AM, especially considering its use as a fallback by a LockBit affiliate. This underscores the evolving landscape of ransomware attacks, where affiliates demonstrate increasing independence from operators.

While many new ransomware families emerge and fade quickly, the fact that 3AM is considered a credible threat by experienced cybercriminals raises concerns about its potential resurgence in future attacks. The cybersecurity community will continue to monitor and analyze this evolving threat landscape.

Essential Tips for Protecting Yourself from the 3AM Ransomware Threat

To shield yourself from the 3AM ransomware threat, it's essential to take proactive steps. Start by educating yourself and your team about ransomware attacks, familiarizing them with common tactics and how to spot phishing emails and other malicious content. Additionally, keeping your software up to date is crucial, as updates often contain security patches that can thwart known ransomware vulnerabilities. Employ a robust security solution capable of detecting and preventing ransomware attacks to fortify your system's defenses. Lastly, regularly back up your data to ensure you have a secure copy, even in the event of a ransomware compromise. These precautions can help safeguard against the evolving threat landscape posed by ransomware like 3AM.