3AM Ransomware
Recovery Services

What is 3AM Ransomware?

3AM ransomware first appeared in September 2023 and the discovery of this variant was one of a kind. 3AM was the first ransomware to serve as a fallback for other ransomware, most notably LockBit. When actors encountered difficulties deploying LockBit during an attack, they turned to 3AM as an alternative to gain unauthorized access to their victim’s system. While recognized as the secondary choice for numerous cybercriminals, 3AM also sets itself apart with its distinctive technical features. It is programmed in the Rust programming language and seems to be part of a new ransomware family. This ransomware is designed to disrupt backup systems, security software, and applications while focusing on targeting certain files. It renames these files with a “.threeamtime” extension. Their motivation is solely financial gain and mainly target companies in the US, UK, and France. 

Researchers linked 3AM to the Conti and Royal cybercrime families due to similar TTPs, infrastructure, and communication channels. (Conti is Royal’s predecessor)

How Does 3AM Ransomware Operate?

As stated previously, 3AM ransomware, coded in Rust and functioning as a 64-bit executable, possesses the ability to execute various commands. These commands can interrupt applications, impede backup processes, and disable security software. Specifically, the ransomware targets files meeting specific criteria and appends the extension “.threeamtime” to their filenames. It also seeks to erase Volume Shadow copies. Notably, a recent tweet from a security researcher shed light on the 3AM ransomware gang’s utilization of an outdated PHP script called Yugeon Web Clicks v0.1, dating back to 2004, to track page views on their website. This adoption of antiquated technology raises questions about the group’s methods and motives. Researchers predict this group uses outdated technology so that they’re less likely to be identified and exposed. Others predict that it’s because older technology is simple and easier to use. 

The true motive behind 3AM’s use of the outdated Yugeon Web Clicks script remains unknown. Despite their use of sophisticated ransomware strains in targeting organizations, their backend selections may be influenced by a combination of strategy, overconfidence, and/or convenience. Organizations must stay vigilant and adopt a holistic security approach, understanding that threats can arise from both state-of-the-art and outdated technologies.

How Can You Protect Your Company Against 3AM Ransomware?

3AM’s emergence as a secondary choice to other ransomware suggests a potential change in cybercriminal tactics. As 3AM garners more attention, it may potentially evolve and expand into a bigger threat as the year progresses. Organizations must be adaptable to changes and mitigate risks by keeping up to date with cybersecurity hygiene and general security measures. 

1. Use strong passwords and enable multi-factor authentication
2. Practice email security. Install email filtering
3. Update Software regularly 
4. Consider Data Loss Prevention Solutions 
5. Regularly back up data 
6. Security awareness training for all employees 
7. Keep up to date with the latest cyber threats. Use cybersecurity news websites and resources from security vendors

If you’re the victim of a 3AM ransomware attack, contact us today at (949) 428-5001 for a fast and effective recovery!