New 3AM Ransomware Hits DS Granit

3AM ransomware, the newest and most unusual cyber-threat program, claimed another victim in the form of DS Granit, a company specializing in the supply and installation of granite, quartz, and Dekton ceramic worktops.

• This attack is part of a new string of hits in the last quarter of 2023, credit to 3AM ransomware
• The 3AM ransomware group hit DS Granit on the 22 of November, as reported by the company’s administrative
• The 3AM ransomware is a newcomer, one of the latest installments in the cyberthreat space and one that caused a lot of confusion
• This type of ransomware operates based on an outdated PHP script called Yugeon Web Clicks v0.1, which released back in 2004
• 3AM got its name from the fact that it encrypts files with the extension .threeamtime

DS Granit is one of the malware’s latest victims and there haven’t been many. It appears that 3AM is only being used selectively, only on handpicked targets. Currently, Threat Hunter Team has only recorded one other incident that involved 3AM.

In that particular case, the attacker used LockBit against the victim, but switched to 3AM when LockBit failed. 3AM worked, but not because it was so advanced that it circumvented the victim’s firewall. In fact, the contrary is true.

The peculiar thing about 3AM is that it uses a very outdated tool to operate, namely the Yugeon Web Clicks script v0.1.

It may seem bizarre that such a modern cyberthreat would operate based on such an old and outdated script, but there may be a method to the madness.

One of the potential explanations is that the attackers rely on the fact that modern firewalls aren’t set to recognize such ancient scripts.

Another is that they rely on the #ransomware classification to simply discourage victims from even attempting a solution on their own.

The intimidation alone would suffice in convincing them to pay. This allows the attackers to circumvent the costs of a more modern and complex PHP script while still having the desired effect.