Table of contents
- The origin of ThreeAM ransomware
- Functionality and characteristics of ThreeAM ransomware
- The modus operandi of the hacker group ThreeAM
- Communication and extortion methods
In recent years, the ransomware attack landscape has evolved with the emergence of new hacker groups and increasingly sophisticated malware. Among them, ThreeAM ransomware has appeared as a new malicious strain first identified in 2023.
This ransomware group is notable for its peculiarity: it is often used as a backup plan when other ransomware, such as LockBit, fails in its initial attack.
In this article, we will analyze the origins of ThreeAM, its main characteristics, its distribution method, and the risks it poses to businesses and users.
The origin of ThreeAM ransomware
The ThreeAM ransomware was first identified in February 2023 but was officially mentioned in a Symantec report published in September of the same year.
The analysis revealed that a threat actor, after unsuccessfully attempting to deploy LockBit ransomware, resorted to ThreeAM. This behavior suggests that 3AM ransomware was developed as an alternative in case primary attacks failed.
Functionality and characteristics of ThreeAM ransomware
The ThreeAM ransomware stands out due to several unique characteristics. Since it has not yet been fully analyzed due to the lack of available samples, it is known that it uses a 32-bit alphanumeric key to identify the victim. Additionally, it operates as human-operated ransomware (HumOR), requiring hackers to manually set attack parameters.
Once a system is infected, ThreeAM encrypts files and changes their extensions by adding .threeamtime. A ransom note named RECOVER-FILES.txt is then created, containing instructions on how victims can contact the hackers to recover their files.
Currently, there is no decryptor available, leaving victims with no option but to pay the ransom.
The modus operandi of the hacker group ThreeAM
The hacker ThreeAM employs sophisticated methods to distribute its ransomware. Although it is not yet clear how the malware is initially distributed, it is likely that the group exploits phishing techniques, vulnerabilities in servers, and RDP brute-force attacks.
One of the key features of ThreeAM ransomware is the deletion of volume shadow, which are Windows automatic backups, making file recovery nearly impossible without paying the ransom.
This approach is common among ransomware groups and is a typical double extortion tactic, where hackers threaten to publish stolen data if the ransom is not paid.
Communication and extortion methods
The ThreeAM ransomware employs various methods to communicate with victims and manage ransom payments. Contact is made via the email ThreeAM@onionmail.org and a Tor website. This allows hackers to remain anonymous and makes tracking transactions difficult.
Extortion is carried out through direct extortion and double extortion. In the first case, the victim is forced to pay to recover their files. In the second case, in addition to file encryption, hackers threaten to publish sensitive data stolen during the attack.
Questions and answers
- What is ThreeAM ransomware?
It is a new ransomware used as a fallback when other attacks fail.
- When was ThreeAM discovered?
It was first identified in February 2023.
- How does ThreeAM ransomware spread?
Probably through phishing, exploits of vulnerable servers, and brute-force RDP attacks.
- What happens to files encrypted by ThreeAM?
Their extensions are changed to .threeamtime, making them inaccessible.
- Is there a decryptor for ThreeAM?
No, there is currently no decryptor available.
- How do ThreeAM hackers communicate with victims?
Through email and a Tor ransom site.
- Does ThreeAM delete Windows backups?
Yes, it deletes the shadow volume to prevent file recovery.
- What is special about ThreeAM?
It is used as a fallback when other ransomware, such as LockBit, fails. - What is the name of the ThreeAM ransom note?
The file containing the instructions is called RECOVER-FILES.txt.
