Rust-Written 3AM Ransomware: A Sneak Peek into a New Malware Family

Technology

Sep 13, 2023THNRansomware / Malware

A new ransomware family called 3AM has emerged in the wild after it was detected in a single incident in which an unidentified affiliate deployed the strain following an unsuccessful attempt to deliver LockBit (attributed to Bitwise Spider or Syrphid) in the target network.

“3AM is written in Rust and appears to be a completely new malware family,” the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.

“The ransomware attempts to stop multiple services on the infected computer before it begins encrypting files. Once encryption is complete, it attempts to delete Volume Shadow (VSS) copies.”

Cybersecurity

3AM gets its name from the fact that it’s referenced in the ransom note. It also appends encrypted files with the extension .threeamtime. That said, it’s currently not known if the malware authors have any connections with known e-crime groups.

In the attack spotted by Symantec, the adversary is said to have managed to deploy the ransomware to three machines on the organization’s network, only for it to be blocked on two of those machines.

The intrusion is notable for using Cobalt Strike for post-exploitation and privilege escalation, following it up by running reconnaissance commands to identify other servers for lateral movement. The exact ingress route employed in the attack is unclear.

“They also added a new user for persistence and used the Wput tool to exfiltrate the victims’ files to their own FTP server,” Symantec noted.

A 64-bit executable written in Rust, 3AM is engineered to run a series of commands to stop various security and backup-related software, encrypt files matching predefined criteria, and purge volume shadow copies.

UPCOMING WEBINAR

Identity is the New Endpoint: Mastering SaaS Security in the Modern Age

Dive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Discover why identity is the new endpoint. Secure your spot now.

Supercharge Your Skills

While the exact origins of the ransomware remains unknown, there is evidence to suggest that the ransomware affiliate connected to the operation is targeting other entities, based on a post shared on Reddit on September 9, 2023.

“We’ve seen no evidence ourselves to suggest that this affiliate has used 3AM again, but we’re not surprised to see other reports of 3AM’s use,” Dick O’Brien, principal intelligence analyst at Symantec, told The Hacker News. “If an experienced LockBit affiliate is using it as their alternate payload, it suggests that attackers may see it as a credible threat.”

“Ransomware affiliates have become increasingly independent from ransomware operators,” Symantec said.

“New ransomware families appear frequently and most disappear just as quickly or never manage to gain significant traction. However, the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it may be of interest to attackers and could be seen again in the future.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Vanessa Ray Talks Eddie and Jamie’s Relationship and What’s Next (Exclusive)
Hegseth Is ‘Inordinately Unqualified’ to Lead Pentagon
Walmart Caves to Conservative Pressure, Will Pull Back DEI Policies
Trump hush money sentencing delayed indefinitely
iPhone Production in India Reaches $10 Billion Milestone With PLI Scheme, Says IT Minister