Ransomware - ThreeAM

ThreeAM (Active)
ThreeAM Time
Decryptor Available

The first known mention of ThreeAM (3 AM) came about when Symantec posted a blog article in mid-September about a failed LockBit ransomware deployment (see references). Apparently, during this deployment, the LockBit affiliate attempted to deploy LockBit, failed, and deployed a novel ransomware called ThreeAM instead. Interestingly, the ThreeAM ransomware operation also has a dark web data leak site (DLS). This suggests that the affiliate utilizes several ransomware services, and ThreeAM was their second-in-line. Symantec posted this in September of 2023. However, a subsequent article by BleepingComputer reveals that they've known of this ransomware since February of 2023 but were still waiting to extract further details for a proper post. Symantec provided much more context for them to create the article and provide this information. We appreciate both of their reporting to allow us to make this entry.

Symantec's post also included a SHA-256 hash for the ransomware sample they dealt with. However, the WatchGuard Threat Lab could not find any sample of this ransomware to analyze. What we currently have has been extracted from the original Symantec article referenced prior. Since we don't have a sample, we cannot extract the encryption type they use, but we did get pretty much everything else. The ransomware uses various command arguments when running the executable, including a defined 32-bit alphanumeric key to identify the victim (-k flag). Based on the described behavior of the ransomware payload, we assume this is what we have defined as human-operated ransomware (HumOR) because the attackers have to specify the parameters for each payload explicitly. The ransom note that drops is titled RECOVER-FILES.txt, and encrypted files have their extensions changed to '<file name>.threeamtime.' If we can find and analyze a sample, we will update the encryption types with this information.

Ransomware Type
Data Broker
First Seen
Extortion Types
Direct Extortion
Double Extortion
File Extension
<file name>.threeamtime
Ransom Note Name
Ransom Note Image
Samples (SHA-256)
Industry Sector Country Extortion Date Amount (USD)
Mining & Quarrying Malaysia
Construction & Architecture United States
Media & Marketing United States
Food & Beverage United States
Healthcare & Medicine United States
Construction & Architecture United States
Healthcare & Medicine Germany
Distribution & Logistics United States
Hospitality Spain
Mining & Quarrying United States
Information Technology United States
Real Estate & Housing United Kingdom
Transportation United Kingdom
Professional Services France
Legal United States
Professional Services United States
Manufacturing United States
Banking & Finance United States
Agriculture United States
Fashion & Textiles United States
Telecommunications Canada
Construction & Architecture Mexico
Manufacturing United States
Real Estate & Housing United States
Manufacturing Australia
Aerospace & Aviation United States
Legal United Kingdom
References & Publications