Connect with us

Hi, what are you looking for?



LockBit Affiliate Deploys New 3AM Ransomware in Recent Attack

A LockBit affiliate has deployed the new 3AM ransomware family on a victim’s network, after LockBit’s execution was blocked.

A LockBit affiliate has been observed deploying a new ransomware family in a recent attack, after LockBit’s execution was blocked, reports Broadcom’s Symantec Threat Hunter Team.

When executed, the new ransomware, named 3AM, attempts to stop multiple processes associated with security and backup tools. It also attempts to delete volume shadow copies, to prevent file recovery.

As part of the observed attack, the threat actor first executed a command to dump the policy settings enforced on the computer for a specified user, then deployed several Cobalt Strike components and attempted to escalate privileges.

Next, the attackers performed reconnaissance, trying to identify other servers for lateral movement, added a new user for persistence, and exfiltrated victim’s files.

The threat actor then attempted to execute the LockBit ransomware. When LockBit was blocked, the attackers switched to the 3AM ransomware, which was successfully executed on a single machine.

The ransomware appends the ‘.threeamtime’ extension to the encrypted files and drops a ransom note that also references the 3AM name.

Written in Rust and deployed as a 64-bit executable, the malware can be supplied with specific command-line parameters and automatically attempts to run commands to stop targeted processes.

Advertisement. Scroll to continue reading.

Next, it starts scanning the drives for files that match specific criteria, encrypts them, and deletes the original files. It then drops a ransom note named ‘RECOVER-FILES.txt’ in each of the folders it has scanned.

Symantec warns that other ransomware affiliates too have been observed attempting to deploy two different ransomware families in the same attack, which may indicate that affiliates are becoming more independent from ransomware operators.

“New ransomware families appear frequently and most disappear just as quickly or never manage to gain significant traction. However, the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it may be of interest to attackers and could be seen again in the future,” Symantec notes.

Related: Russian National Arrested, Charged in US Over Role in LockBit Ransomware Attacks

Related: US Organizations Paid $91 Million to LockBit Ransomware Gang

Related: LockBit Ransomware Group Developing Malware to Encrypt Files on macOS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


US payments giant NCR has confirmed being targeted in a ransomware attack for which the BlackCat/Alphv group has taken credit.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.