LockBit Affiliate Deploys New 3AM Ransomware in Recent Attack

A LockBit affiliate has been observed deploying a new ransomware family in a recent attack, after LockBit’s execution was blocked, reports Broadcom’s Symantec Threat Hunter Team.

When executed, the new ransomware, named 3AM, attempts to stop multiple processes associated with security and backup tools. It also attempts to delete volume shadow copies, to prevent file recovery.

As part of the observed attack, the threat actor first executed a command to dump the policy settings enforced on the computer for a specified user, then deployed several Cobalt Strike components and attempted to escalate privileges.

Next, the attackers performed reconnaissance, trying to identify other servers for lateral movement, added a new user for persistence, and exfiltrated victim’s files.

The threat actor then attempted to execute the LockBit ransomware. When LockBit was blocked, the attackers switched to the 3AM ransomware, which was successfully executed on a single machine.

The ransomware appends the ‘.threeamtime’ extension to the encrypted files and drops a ransom note that also references the 3AM name.

Written in Rust and deployed as a 64-bit executable, the malware can be supplied with specific command-line parameters and automatically attempts to run commands to stop targeted processes.

Advertisement. Scroll to continue reading.

Next, it starts scanning the drives for files that match specific criteria, encrypts them, and deletes the original files. It then drops a ransom note named ‘RECOVER-FILES.txt’ in each of the folders it has scanned.

Symantec warns that other ransomware affiliates too have been observed attempting to deploy two different ransomware families in the same attack, which may indicate that affiliates are becoming more independent from ransomware operators.

“New ransomware families appear frequently and most disappear just as quickly or never manage to gain significant traction. However, the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it may be of interest to attackers and could be seen again in the future,” Symantec notes.

Related: Russian National Arrested, Charged in US Over Role in LockBit Ransomware Attacks

Related: US Organizations Paid $91 Million to LockBit Ransomware Gang

Related: LockBit Ransomware Group Developing Malware to Encrypt Files on macOS

https://www.securityweek.com/lockbit-affiliate-deploys-new-3am-ransomware-in-recent-attack/