Through the identification of a first single case, a new family of ransomwarecall 3AM.
The malicious agent was detected following a failed deployment attempt LockBit and has an interesting feature, namely the programming language used. We are in fact talking about an executable written in Rust and designed to block any security software or useful for carrying out the data backup.
Il Symantec Threat Hunter Team stated a The Hacker News come “3AM is written in Rust and appears to be a completely new malware family“. The same experts then explained how “The ransomware tries to stop multiple services on the infected computer before it starts encrypting files“.
The encrypted files, apparently, come with the extension .threamtime. What makes 3AM mysterious is its origin which, at the moment, has not yet been traced back to any known cybercriminal group.
3AM, the ransomware written in Rust about which very little is known
According to Symantec, the attack has so far been successful on three machines and attempted to deploy Cobalt Strike. In two out of three cases, however, the ransomware was blocked before completing the infection.
The researchers underlined, with respect to cybercriminals, how they “They also added a new user for persistence and used the Wput tool to exfiltrate victims’ files on their FTP server“.
According to Dick O’Brienprincipal intelligence analyst at Symantec, stated how “We found no evidence to suggest this affiliate used 3AM again, but we are not surprised to see other reports of ransomware use“.
On the other hand, the appearance of new attacks of this type should not be too surprising. For Symantec, in fact “New ransomware families appear frequently, and most of them disappear just as quickly or never manage to gain significant popularity. However, the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it could be of interest to attackers and could reappear in the future“.