Ransomware - ThreeAM

The first known mention of ThreeAM (3 AM) came about when Symantec posted a blog article in mid-September about a failed LockBit ransomware deployment (see references). Apparently, during this deployment, the LockBit affiliate attempted to deploy LockBit, failed, and deployed a novel ransomware called ThreeAM instead. Interestingly, the ThreeAM ransomware operation also has a dark web data leak site (DLS). This suggests that the affiliate utilizes several ransomware services, and ThreeAM was their second-in-line. Symantec posted this in September of 2023. However, a subsequent article by BleepingComputer reveals that they've known of this ransomware since February of 2023 but were still waiting to extract further details for a proper post. Symantec provided much more context for them to create the article and provide this information. We appreciate both of their reporting to allow us to make this entry.

Symantec's post also included a SHA-256 hash for the ransomware sample they dealt with. However, the WatchGuard Threat Lab could not find any sample of this ransomware to analyze. What we currently have has been extracted from the original Symantec article referenced prior. Since we don't have a sample, we cannot extract the encryption type they use, but we did get pretty much everything else. The ransomware uses various command arguments when running the executable, including a defined 32-bit alphanumeric key to identify the victim (-k flag). Based on the described behavior of the ransomware payload, we assume this is what we have defined as human-operated ransomware (HumOR) because the attackers have to specify the parameters for each payload explicitly. The ransom note that drops is titled RECOVER-FILES.txt, and encrypted files have their extensions changed to '<file name>.threeamtime.' If we can find and analyze a sample, we will update the encryption types with this information.