Security researchers have uncovered tight connections between the newly emerged 3AM ransomware operation and infamous cybercrime groups, such as the Conti syndicate and the Royal ransomware gang. 3AM, also known as ThreeAM, has recently been experimenting with a new extortion tactic: sharing news of a data leak with the victim’s social media followers and using bots to reply to high-ranking accounts on X (formerly Twitter) with messages pointing to data leaks.
The 3AM ransomware gang’s activity came to light in mid-September when the Threat Hunter Team at Symantec revealed that the threat actors had shifted to ThreeAM ransomware after failing to deploy the LockBit malware. Researchers at French cybersecurity company Intrinsec have indicated that ThreeAM is likely linked to the Royal ransomware group, which has rebranded as Blacksuit, a gang comprised of former members of Team 2 within the Conti syndicate. As Intrinsec delved further into their investigation, they discovered significant overlap in communication channels, infrastructure used in attacks, and the tactics, techniques, and procedures (TTPs) employed by both 3AM and the Conti syndicate.
Intrinsec’s analysis also unveiled the use of a PowerShell script for dropping Cobalt Strike detected since 2020, as well as a SOCKS4 proxy on TCP port 8000 that is typically used for tunneling communication. Additionally, the researchers found a TLS certificate for an RDP service linked to attacks from mid-2022, some of which leveraged the IcedID malware dropper previously used by the Royal ransomware group. The analysis also revealed that 3AM’s data leak site in the Tor network had been indexed by the Shodan platform for internet-connected servers, indicating that it was available over the clear web.
Further investigation led Intrinsec to identify several servers with shared similarities, including the same port, protocol, Apache product with the same version, autonomous system, organization, and the text “llc” indicating a ‘limited liability company’. The domains at the analyzed IP addresses also had TLS certificates from Google Trust Services LLC and were transferred to Cloudflare, mirroring previous findings associated with the IcedID malware used for Conti attacks.
Another startling revelation was the discovery that 3AM likely employed a new extortion technique using automated replies on X (formerly Twitter) to broadcast news of their successful attacks. The gang set up an X/Twitter account and used it to leave numerous replies mentioning a victim and redirecting to the data leak site. This tactic was likely aimed at spreading news of the attack and subsequent data leak to damage the business reputation of the victim. The increased volume and frequency of ThreeAM replies, sometimes as many as 86 per day, indicated the use of an X/Twitter bot to conduct a name and shame campaign, according to Intrinsec’s findings.
3AM’s data leak site, which closely resembled the one used by the LockBit ransomware operation, displayed a list of 19 victims who did not pay the ransom and whose data the threat actor leaked. Although 3AM appears to be a less sophisticated subgroup of Royal ransomware and displays less operational security, it should not be underestimated, as it could still carry out a large number of attacks.
The Conti cybercrime syndicate, previously the largest and most aggressive ransomware operation, shut down in May 2022 following a data breach known as Conti Leaks. Despite its dissolution, many of its members and affiliates joined other operations, such as Royal ransomware, which is considered the direct heir of Conti. In the ever-shifting landscape of ransomware operations, tracking the members of a particular gang or tying them to an operation remains challenging.
In conclusion, the emergence of 3AM and its connections to infamous cybercrime groups raise concerns about the continued threat of ransomware attacks. As security researchers continue their efforts to analyze and understand these threats, it is crucial for organizations to remain vigilant and implement robust cybersecurity measures to protect against potential attacks.