Novel 3AM ransomware attacks launched as fallback for thwarted LockBit intrusion

BleepingComputer reports that an attack leveraging the new 3AM ransomware strain was deployed by a ransomware affiliate in February following a failed LockBit ransomware attack against a targeted network. After exploiting the "gpresult" command for system policy setting dumping; leveraging PsExec for privilege escalation; and performing reconnaissance as part of the unsuccessful LockBit attack, threat actors proceeded to use the Rust-based 3AM ransomware that halted several security and backup services on the compromised system prior to file encryption, according to a report from Symantec's Threat Hunter Team. Files that have been encrypted by 3AM ransomware are then appended with the ".THREEAMTIME" extension, with Volume Shadow copies later deleted to prevent file recovery. While the malware was only deployed on three machines, two of which had malicious activity blocked, more threat actors could potentially leverage 3AM ransomware, said researchers, who provided file hashes for the ransomware samples and the Cobalt Strike components utilized in the attack.