3AM ransomware family

Detected! 3 AM Ransomware Family, New in Cyber Town

2 Mins Read

PureVPNNewsDetected! 3 AM Ransomware Family, New in Cyber Town

A fresh strain of ransomware, known as “3 AM,” has emerged in the wild. This new malware, written in the Rust programming language, is distinct and unrelated to other known ransomware families. The Symantec Threat Hunter Team recently reported on its discovery of 3 AM.

Rust 101 — Everything you need to know about Rust | by Nishant Aanjaney Jalan | CodeX | Medium

Prodigy of Attack

Upon infecting a computer, 3 AM takes measures to halt various services before initiating the encryption process on the victim’s files. Once encryption is complete, it attempts to remove Volume Shadow (VSS) copies, further complicating data recovery efforts.

Architectural diagram of Volume Shadow Copy Service

Why is it called 3 AM? 

The name “3AM” is derived from its appearance in the ransom note and the fact that it appends encrypted files with the “.threeamtime” extension. It’s currently unclear whether the creators of this malware have any affiliations with established cybercrime groups.

https://x.com/seif_cybersec/status/1701913018676727992?s=20

In a recent attack monitored by Symantec, the threat actor deployed 3 AM on three machines within the targeted organization’s network. However, the ransomware was successfully thwarted on two of these machines.

Using Previously Used Strategies

The attacker used 

  • Cobalt Strike for post-exploitation and privilege escalation in this intrusion. 
  • Executed reconnaissance commands to locate other servers for lateral movement. 

The exact method of initial entry into the network remains uncertain.

  • The attacker added a new user to maintain persistence and utilized the Wput tool to transfer the victim’s files to their FTP server.

Symantec Analysis

3 AM is a 64-bit executable programmed in Rust. It executes commands designed to turn off security and backup-related software, encrypt files meeting specific criteria, and eliminate volume shadow copies.

While the origins of this ransomware remain a mystery, evidence suggests that the affiliate responsible for this operation may be targeting other entities. A post on Reddit from September 9, 2023, hinted at such activities.

Can we be at rest?

The principal intelligence analyst at Symantec emphasized the possibility of 3 AM being used again, especially by experienced LockBit affiliates. This indicates that 3 AM is perceived as a credible threat by cyber attackers.

https://x.com/vxunderground/status/1697027546452259277?s=20

It’s worth noting that ransomware affiliates have gained independence from ransomware operators, and new ransomware variants like 3 AM come and go rapidly. However, the fact that a LockBit affiliate turned to 3 AM as an alternative payload implies that it may resurface.

author

PureVPN

date

September 14, 2023

time

2 years ago

PureVPN is a leading VPN service provider that excels in providing easy solutions for online privacy and security. With 6000+ servers in 65+ countries, It helps consumers and businesses in keeping their online identity secured.

Related Stories

Snapchat Down Worldwide Amid Major AWS Outage: What We Know So Far

Snapchat Down Worldwide Amid Major AWS Outage: What We Know So Far
Posted on October 20, 2025
Slack Faces Partial Outage: Users Report Message Delays and Loading Issues

Slack Faces Partial Outage: Users Report Message Delays and Loading Issues
Posted on October 20, 2025
Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect

Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect
Posted on October 8, 2025

Have Your Say!!