Newly emergent 3AM ransomware operation’s ties examined

BleepingComputer reports that the recently discovered 3AM ransomware operation, also known as ThreeAM, has been found to be associated with the Conti and Royal ransomware gangs. Initially reported to have been used by threat actors who were unsuccessful with LockBit malware attacks, 3AM ransomware was discovered to have a potential connection with Royal ransomware that consists of former Conti syndicate members, according to a report from Intrinsec. Both 3AM and Conti also had significantly overlapping infrastructure, communication channels, and tactics, techniques, and procedures, with the newly emergent ransomware gang observed to have used a Cobalt Strike-deploying PowerShell script and a SOCKS4 proxy on TCP port 8000, as well as a TLS certificate from a machine linked to Royal ransomware attacks in 2022. Such ties have been uncovered as 3AM ransomware was noted to have begun testing a novel extortion technique that involved broadcasting its successful heists through automated replies on X, formerly Twitter. "We assess with good confidence that an X/Twitter bot was likely used to conduct such a name and shame campaign," said researchers.