3AM ransomware, the newest and most unusual cyber-threat program, claimed another victim in the form of DS Granit, a company specializing in the supply and installation of granite, quartz, and Dekton ceramic worktops.
DS Granit is one of the malware’s latest victims and there haven’t been many. It appears that 3AM is only being used selectively, only on handpicked targets. Currently, Threat Hunter Team has only recorded one other incident that involved 3AM.
In that particular case, the attacker used LockBit against the victim, but switched to 3AM when LockBit failed. 3AM worked, but not because it was so advanced that it circumvented the victim’s firewall. In fact, the contrary is true.
The peculiar thing about 3AM is that it uses a very outdated tool to operate, namely the Yugeon Web Clicks script v0.1.
It may seem bizarre that such a modern cyberthreat would operate based on such an old and outdated script, but there may be a method to the madness.
One of the potential explanations is that the attackers rely on the fact that modern firewalls aren’t set to recognize such ancient scripts.
Another is that they rely on the #ransomware classification to simply discourage victims from even attempting a solution on their own.
The intimidation alone would suffice in convincing them to pay. This allows the attackers to circumvent the costs of a more modern and complex PHP script while still having the desired effect.
We believe security online security matters and its our mission to make it a safer place.
At this point, there is very limited data to work with in relation to the 3AM ransomware, because the program has been deployed rarely.
So far, 3AM seems to be a backup plan for failed LockBit attacks, but more research is necessary to reach a definitive conclusion.
3AM is coded in Rust and operates in classical ransomware fashion, encrypting files and linking the user to a basic Tor network for negotiation.
The victims are supposed to use the passkey present in the ransom note to connect and negotiate their access to their files. Experts advise to the contrary, because there’s no guarantee that the victim will get their files back anyway.