Ransomware - ThreeAM

ThreeAM (Active)
Aliases
3AM
ThreeAM Time
Decryptor Available
No
Description

The first known mention of ThreeAM (3 AM) came about when Symantec posted a blog article in mid-September about a failed LockBit ransomware deployment (see references). Apparently, during this deployment, the LockBit affiliate attempted to deploy LockBit, failed, and deployed a novel ransomware called ThreeAM instead. Interestingly, the ThreeAM ransomware operation also has a dark web data leak site (DLS). This suggests that the affiliate utilizes several ransomware services, and ThreeAM was their second-in-line. Symantec posted this in September of 2023. However, a subsequent article by BleepingComputer reveals that they've known of this ransomware since February of 2023 but were still waiting to extract further details for a proper post. Symantec provided much more context for them to create the article and provide this information. We appreciate both of their reporting to allow us to make this entry.

Symantec's post also included a SHA-256 hash for the ransomware sample they dealt with. However, the WatchGuard Threat Lab could not find any sample of this ransomware to analyze. What we currently have has been extracted from the original Symantec article referenced prior. Since we don't have a sample, we cannot extract the encryption type they use, but we did get pretty much everything else. The ransomware uses various command arguments when running the executable, including a defined 32-bit alphanumeric key to identify the victim (-k flag). Based on the described behavior of the ransomware payload, we assume this is what we have defined as human-operated ransomware (HumOR) because the attackers have to specify the parameters for each payload explicitly. The ransom note that drops is titled RECOVER-FILES.txt, and encrypted files have their extensions changed to '<file name>.threeamtime.' If we can find and analyze a sample, we will update the encryption types with this information.

Ransomware Type
Crypto-Ransomware
Data Broker
HumOR
First Seen
Extortion Types
Direct Extortion
Double Extortion
Communication
Medium
Identifier
TOR
File Extension
<file name>.threeamtime
Ransom Note Name
RECOVER-FILES.txt
Ransom Note Image
Samples (SHA-256)
307a1217aac33c4b7a9cd923162439c19483e952c2ceb15aa82a98b46ff8942e
Industry Sector Country Extortion Date Amount (USD)
Mining & QuarryingMalaysia
Construction & ArchitectureUnited States
Media & MarketingUnited States
Food & BeverageUnited States
Healthcare & MedicineUnited States
Construction & ArchitectureUnited States
Healthcare & MedicineGermany
Distribution & LogisticsUnited States
HospitalitySpain
Mining & QuarryingUnited States
Information TechnologyUnited States
Real Estate & HousingUnited Kingdom
TransportationUnited Kingdom
Professional ServicesFrance
LegalUnited States
Professional ServicesUnited States
ManufacturingUnited States
Banking & FinanceUnited States
AgricultureUnited States
Fashion & TextilesUnited States
TelecommunicationsCanada
Construction & ArchitectureMexico
ManufacturingUnited States
Real Estate & HousingUnited States
ManufacturingAustralia
Aerospace & AviationUnited States
LegalUnited Kingdom
Healthcare & MedicineUnited States
Real Estate & HousingFrance
Information TechnologyBrazil
UtilitiesUnited States
Healthcare & MedicineUnited States
Healthcare & MedicineUnited States
AgricultureSpain
References & Publications