Security researchers have discovered a new ransomware variant which was deployed after LockBit was blocked on a victim organization’s network.
Symantec’s Threat Hunter Team has only found one instance of the 3AM ransomware – so named because it encrypts files with the extension “.threeamtime” and references “3AM” in its ransom note.
“3AM is written in Rust and appears to be a completely new malware family. The ransomware attempts to stop multiple services on the infected computer before it begins encrypting files,” Symantec explained in a blog post.
“Once encryption is complete, it attempts to delete Volume Shadow (VSS) copies. It is still unclear whether its authors have any links to known cybercrime organizations.”
The threat actors that deployed 3AM first used the “gpresult” command to dump policy settings for specific users. They also executed several Cobalt Strike components and tried to escalate privileges on the computer using PsExec, before running reconnaissance commands and attempting to enumerate other servers for lateral movement.
Read more on new ransomware: New “Rorschach” Ransomware Spread Via Commercial Product
An extra user was also added to maintain persistence, while a Wput tool was used to exfiltrate victim files to an FTP server under the attackers’ control.
However, although 3AM was used after LockBit was initially blocked, this backup strategy was not 100% successful.
The threat actor was only able to deploy 3AM to three machines on the victim organization’s network and it was blocked on two of these three, Symantec said.
“Ransomware affiliates have become increasingly independent from ransomware operators and this is not the first time Symantec has seen an attacker attempt to deploy two different kinds of ransomware in a single attack,” the security vendor concluded.
“New ransomware families appear frequently and most disappear just as quickly or never manage to gain significant traction. However, the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it may be of interest to attackers and could be seen again in the future.”