Rust-Written 3AM Ransomware: A Sneak Peek into a New Malware Family
14.9.23 Ransom The Hacker News
A new ransomware family called 3AM has emerged in the wild after it was detected in a single incident in which an unidentified affiliate deployed the strain following an unsuccessful attempt to deliver LockBit (attributed to Bitwise Spider or Syrphid) in the target network.
"3AM is written in Rust and appears to be a completely new malware family," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.
"The ransomware attempts to stop multiple services on the infected computer before it begins encrypting files. Once encryption is complete, it attempts to delete Volume Shadow (VSS) copies."
3AM gets its name from the fact that it's referenced in the ransom note. It also appends encrypted files with the extension .threeamtime. That said, it's currently not known if the malware authors have any connections with known e-crime groups.
In the attack spotted by Symantec, the adversary is said to have managed to deploy the ransomware to three machines on the organization's network, only for it to be blocked on two of those machines.
The intrusion is notable for using Cobalt Strike for post-exploitation and privilege escalation, following it up by running reconnaissance commands to identify other servers for lateral movement. The exact ingress route employed in the attack is unclear.
"They also added a new user for persistence and used the Wput tool to exfiltrate the victims' files to their own FTP server," Symantec noted.
A 64-bit executable written in Rust, 3AM is engineered to run a series of commands to stop various security and backup-related software, encrypt files matching predefined criteria, and purge volume shadow copies.
While the exact origins of the ransomware remains unknown, there is evidence to suggest that the ransomware affiliate connected to the operation is targeting other entities, based on a post shared on Reddit on September 9, 2023.
"We've seen no evidence ourselves to suggest that this affiliate has used 3AM again, but we're not surprised to see other reports of 3AM's use," Dick O'Brien, principal intelligence analyst at Symantec, told The Hacker News. "If an experienced LockBit affiliate is using it as their alternate payload, it suggests that attackers may see it as a credible threat."
"Ransomware affiliates have become increasingly independent from ransomware operators," Symantec said.
"New ransomware families appear frequently and most disappear just as quickly or never manage to gain significant traction. However, the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it may be of interest to attackers and could be seen again in the future."