ThreeAM Ransomware: A Growing Threat to Small and Medium-Sized Businesses

In recent times, security analysts at Intrinsic made a startling discovery – the emergence of a dangerous ransomware strain called ThreeAM (aka 3 AM, ThreeAM time) that has been actively targeting small and medium-sized companies. This article delves into the various characteristics, tactics, and impacts of ThreeAM ransomware, shedding light on the evolving threat landscape and the need for proactive security measures.

Ransomware Features and Characteristics

ThreeAM ransomware sets itself apart with its unique set of features and characteristics. Firstly, if the victims fail to pay the ransom demanded, their sensitive data is exposed on a leak site. Additionally, this ransomware has been linked to the research and development efforts of ex-Conti members, who are now operating under the name Royal. Symantec has further unveiled the connection between ThreeAM ransomware and the notorious Conti-Ryuk-TrickBot nexus. It is an emerging Rust-based threat that acts as a fallback for failed LockBit deployments. Notably, the ransomware erases Volume Shadow copies and appends the ‘.ThreeAMtime’ extension to encrypted files. Encrypted files are identifiable by a unique marker string, ‘0x666’.

Previous Cyberthreat Incidents Linked to ThreeAM

Previous cyber threat incidents have been observed that point to the emergence and evolution of ThreeAM ransomware. In July 2022, the domain wirelessrepaid626[.]com was identified as being linked to Formbook and phishing activities. This highlights the ransomware’s connection to a broader network of cybercriminal operations. Additionally, a thorough payload analysis revealed the presence of a ‘260.6 KB’ DLL, compiled around 2019-12-05, which aligns with the tactics, techniques, and procedures (TTPs) of ex-Conti and LockBit.

Operational Tactics and Strategies

The operators behind the ThreeAM ransomware employ various operational tactics and strategies to maximize their impact. One such method is the operation of a name-and-shame blog on the dark web through TOR. This blog serves as a platform for the ransomware operators to publicly shame their victims who fail to pay the demanded ransoms. This form of double extortion further intensifies the pressure on affected businesses to comply.

Impact and Victimology

The ThreeAM ransomware has wreaked havoc on a dozen US businesses between September 13 and October 26, 2023, with a specific focus on small and medium-sized enterprises. The nature of the victims reflects an alarming trend, with 10 of them having a maximum of 50 employees and less than $5 million in revenue. This victimology aligns with the evolving ransomware tactics that increasingly favor mid-size businesses. The consequences for these victims can be devastating, resulting in financial losses, reputational damage, and potential legal liabilities.

The top-tier ransomware ecosystem is evolving at a rapid pace, with threats like ThreeAM ransomware continually pushing the boundaries of cybercriminal capabilities. To counter such threats effectively, businesses must prioritize proactive security measures. This includes implementing robust cybersecurity protocols, conducting regular vulnerability assessments, and educating employees about best practices to prevent phishing and social engineering attacks. By staying one step ahead of cybercriminals, organizations can minimize their vulnerability and safeguard their data and operations from the ever-growing menace of ransomware attacks.

Explore more

Why Should Leaders Invest in Employee Career Growth?

In today’s fast-paced business landscape, a staggering statistic reveals the stakes of neglecting employee development: turnover costs the median S&P 500 company $480 million annually due to talent loss, underscoring a critical challenge for leaders. This immense financial burden highlights the urgent need to retain skilled individuals and maintain a competitive edge through strategic initiatives. Employee career growth, often overlooked

Making Time for Questions to Boost Workplace Curiosity

Introduction to Fostering Inquiry at Work Imagine a bustling office where deadlines loom large, meetings are packed with agendas, and every minute counts—yet no one dares to ask a clarifying question for fear of derailing the schedule. This scenario is all too common in modern workplaces, where the pressure to perform often overshadows the need for curiosity. Fostering an environment

Embedded Finance: From SaaS Promise to SME Practice

Imagine a small business owner managing daily operations through a single software platform, seamlessly handling not just inventory or customer relations but also payments, loans, and business accounts without ever stepping into a bank. This is the transformative vision of embedded finance, a trend that integrates financial services directly into vertical Software-as-a-Service (SaaS) platforms, turning them into indispensable tools for

DevOps Tools: Gateways to Major Cyberattacks Exposed

In the rapidly evolving digital ecosystem, DevOps tools have emerged as indispensable assets for organizations aiming to streamline software development and IT operations with unmatched efficiency, making them critical to modern business success. Platforms like GitHub, Jira, and Confluence enable seamless collaboration, allowing teams to manage code, track projects, and document workflows at an accelerated pace. However, this very integration

Trend Analysis: Agentic DevOps in Digital Transformation

In an era where digital transformation remains a critical yet elusive goal for countless enterprises, the frustration of stalled progress is palpable— over 70% of initiatives fail to meet expectations, costing billions annually in wasted resources and missed opportunities. This staggering reality underscores a persistent struggle to modernize IT infrastructure amid soaring costs and sluggish timelines. As companies grapple with