A LockBit affiliate has been observed deploying a new ransomware family in a recent attack, after LockBit’s execution was blocked, reports Broadcom’s Symantec Threat Hunter Team.
When executed, the new ransomware, named 3AM, attempts to stop multiple processes associated with security and backup tools. It also attempts to delete volume shadow copies, to prevent file recovery.
As part of the observed attack, the threat actor first executed a command to dump the policy settings enforced on the computer for a specified user, then deployed several Cobalt Strike components and attempted to escalate privileges.
Next, the attackers performed reconnaissance, trying to identify other servers for lateral movement, added a new user for persistence, and exfiltrated victim’s files.
The threat actor then attempted to execute the LockBit ransomware. When LockBit was blocked, the attackers switched to the 3AM ransomware, which was successfully executed on a single machine.
The ransomware appends the ‘.threeamtime’ extension to the encrypted files and drops a ransom note that also references the 3AM name.
Written in Rust and deployed as a 64-bit executable, the malware can be supplied with specific command-line parameters and automatically attempts to run commands to stop targeted processes.
Next, it starts scanning the drives for files that match specific criteria, encrypts them, and deletes the original files. It then drops a ransom note named ‘RECOVER-FILES.txt’ in each of the folders it has scanned.
Symantec warns that other ransomware affiliates too have been observed attempting to deploy two different ransomware families in the same attack, which may indicate that affiliates are becoming more independent from ransomware operators.
“New ransomware families appear frequently and most disappear just as quickly or never manage to gain significant traction. However, the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it may be of interest to attackers and could be seen again in the future,” Symantec notes.
Related: Russian National Arrested, Charged in US Over Role in LockBit Ransomware Attacks
Related: US Organizations Paid $91 Million to LockBit Ransomware Gang
Related: LockBit Ransomware Group Developing Malware to Encrypt Files on macOS
More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
