Failed LockBit Attack Substituted with New Ransomware Strain ‘3AM’

Highlights:

• Before encrypting files, 3AM ransomware strain attempts to halt several services on the compromised computer.
• LockBit has consistently ranked among the most active ransomware groups online since its emergence in 2020.

A recently identified ransomware variant named ‘3AM’ was discovered attempting to infect a victim with LockBit ransomware but was successfully blocked.

Highlighted by Symantec Threat Hunting team, 3AM is coded in Rust programming language and is considered an entirely new malware family. Before encrypting files, this ransomware strain attempts to halt several services on the compromised computer. After completing the encryption process, it attempts to delete Volume Shadow copies.

The attackers, whose identity remains undisclosed, were found utilizing a gpresult command to extract policy settings implemented on the computer for a designated user. Furthermore, the attacker employed Cobalt Strike components and tried to elevate privileges on the targeted computer using PsExec. The attacker deployed various reconnaissance commands and established persistence by creating a new user account.

The attack path takes an interesting turn as the attackers initially tried to install LockBit ransomware, only to be met with a successful block. Facing obstruction, the attacker proceeded to deploy 3AM as an alternative. The attack is characterized as partially successful, with the attackers managing to deploy it on only three machines within the targeted organization’s network. However, their attempts were successfully thwarted on two out of the three computers.

While new ransomware variants emerge frequently and often fade away swiftly or fail to gain momentum, Symantec researchers emphasize that using 3AM as a contingency plan by a LockBit affiliate hints at potential future use.

The LockBit ransomware gang employs a ransomware-as-a-service model, where affiliates utilize pre-developed ransomware to carry out attacks. LockBit has consistently ranked among the most active ransomware groups online since its emergence in 2020. It was identified as the most active threat actor in January.

James McQuiggan, a security awareness advocate at KnowBe4 Inc., a company specializing in security awareness training, shared insights, “The emergence of the 3AM ransomware group signals a concerning new phase in the evolution of ransomware. While only detected in one campaign so far, this group is incorporating service stopping and data deletion of VSS along with exfiltrating data before encrypting files.”

McQuiggan highlighted that their utilization of the Rust programming language demonstrates their capacity for adaptation and innovation. “Ransomware groups like 3AM represent a clear and present danger to organizations of all kinds,” McQuiggan added, “To defend against this threat; business leaders must prioritize ransomware resilience.”