Threat Intelligence Report July 1 - July 7 2025

3AM Ransomware

3AM (aka “ThreeAM”) is a Rust-based ransomware strain first observed in September 2023 when Conti affiliates - thwarted in a LockBit deployment - pivoted to this new payload. Since then, 3AM has operated as a lean double-extortion RaaS, linked to former Conti/Royal operators. It leverages highly targeted social-engineering (email-bombing + vishing), novel VM-based loaders, and “living-off-the-land” tradecraft to steal data before encryption. Confirmed victims include a U.S. packaging firm (mid-2023), multiple enterprises through 2024, and a Sophos-protected customer in Q1 2025, where strong MFA and EDR limited impact to a single unprotected server.

Key Facts

• First Seen: September 2023 (fallback after LockBit failure)
• Affiliation: Conti → BlackSuit/Royal lineage (shared infrastructure, leaks)
• Leak Site: Tor portal (double-extortion) launched Q4 2023

Detailed TTPs

• Initial Access
  • Email-Bombing + Vishing: Flood inbox → spoofed IT support call → Quick Assist session (no payload on disk)
  • Malicious Archive (ZIP → VBS dropper): Delivered via lookalike domain (msquick[.]link), extracting a QEMU VM and VBScript loader
  • Traditional Phishing/RDP: Spear-phish with macro docs or stolen VPN/RDP creds (Storm-1811 pattern)
• Execution & Deployment
  • VM-in-VM Loader: QEMU launches a hidden Windows 7 VM running QDoor backdoor (C2 over port 443)
  • Cobalt Strike & Tooling: Beacon stagers, credential stealers, and WMIC/PowerShell for remote execution
• Persistence
  • Account Manipulation: New local admin (“SupportUser”); domain service-account compromises
  • RMM Agents: XEOXRemote and Syncro installs for stealthy long-term access
  • Backdoors: QDoor binaries (vol.exe, svchost.exe) dropped on servers
• Privilege Escalation
  • Credential Dumping: Likely LSASS dumps (inferred from rapid DA compromise)
  • Token Impersonation/Valid Accounts: Use of stolen domain admin credentials
• Defence Evasion
  • Service/EDR Kill: net stop dozens of AV/backup services; EDR-killer tools
  • Shadow-Copy Deletion: vssadmin delete shadows /all /quiet; wbadmin delete systemstate
  • Sandbox Evasion: Loader requires -k <access_key> and modes (-m local|net) to run
• Discovery & Lateral Movement
  • WMI & Admin Shares: wmic /node:<host> process calls; pushing ransomware via \\host\c$
  • RDP Enablement: Registry and firewall tweaks (d.bat) to allow RDP across network
• Data Exfiltration
  • GoodSync → Backblaze B2: 868 GB stolen over 3 days in Q1 2025
  • FTP (Wput): Early case using FTP for exfil in 2023
• Impact
  • Double-Extortion: Files encrypted (.threeamtime), data threatened for leak on Tor site
  • Partial Encryption Mode: -s switch to speed up attacks by encrypting file segments
     

Indicators of Compromise (IOCs)

• File Artifacts:
  • Ransomware samples (SHA-256):
    • 307a1217aac33c4b7a9cd923162439c19483e952c2ceb15aa82a98b46ff8942e
    • 079b99f6601f0f6258f4220438de4e175eb4853649c2d34ada72cce6b1702e22
  • Encrypted extension: *.threeamtime
  • Ransom note: RECOVER-FILES.txt (starts with “Hello. ‘3 am’ The time of mysticism…”)

• • VM dropper files:
    • C:\ProgramData\UpdatePackage_exic\Update.vbs
    • …\wexe (QEMU binary)
    • …\Update_excic.acow2 (VM image)
  • Backdoor binaries: vol.exe, svchost.exe in ProgramData
• Registry & Scheduled Tasks:
  • RDP enablement via HKLM\SYSTEM\…\Terminal Server\fDenyTSConnections = 0
  • Scheduled Task WindowsSensor15 uninstalling Duo MFA
• Network Indicators:
  • Backdoor C2 IPs: 88.118.167.239:443, 172.86.121.134
  • Conti-linked servers: 185.202.0.111, 212.18.104.6, 85.159.229.62
  • Phishing domain: msquick.link → 1ty.me → Google Drive download
• Tor leak site:

Their Captcha Page.

threeam7fj33rv5twe5ll7gcrp3kkyyt6ez5stssixnuwh4v3csxdwqd.onion

threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion/recovery
      

Contact email: 3amnight@inbox.ru, threeam@onionmail.org

Mitigation & Defensive Controls (with CE 5.0)

1. Email Gateway & User Training
   • Block .msi attachments, macros; simulate email-bombing scenarios
   • Train staff on vishing red flags (unsolicited IT calls)
2. Endpoint Hardening & Behaviour Analytics
   • Enforce application control: block QEMU, GoodSync, Wput on endpoints
   • Detect mass service-stop commands and shadow-copy deletions
   • Monitor for new RECOVER-FILES.txt drop events
3. Network Filtering & Monitoring
   • Block/alert on outbound to known C2 IPs and Tor exit/hidden service traffic
   • Segment network to restrict SMB and RDP access
4. Identity & Access Management
   • Apply MFA on all remote access (RDP, VPN, admin portals)
   • Audit and remove unauthorised local/domain admin accounts
5. Backup & Recovery
   • Maintain immutable, offline backups (3-2-1 rule)
   • Test restoration procedures regularly
6. Incident Response Orchestration
   • Automate containment via EDR integration (isolate infected hosts)
   • Triage via memory captures for key extraction; ingest CE 5.0 alerts into SIEM/XDR
7. Threat Intelligence Sharing
   • Share new IOCs on OTX/MISP; subscribe to Conti-family intel feeds
   • Monitor dark-web leak sites for mentions of “3AM” or victim names

Ransomware Victims Worldwide

The United States continues to dominate the global ransomware threat landscape, accounting for 56.52% of all reported victims this week. This consistent trend highlights its vast digital attack surface, high-value enterprise targets, and persistent prioritisation by threat actors across the ransomware ecosystem.

Spain and Canada follow at 5.43% each, reflecting ongoing targeting of critical infrastructure, government, and commercial sectors within these countries.

India and the United Kingdom each recorded 3.26%, underlining their prominence as key victims due to rapidly expanding digital footprints and international business integration.

Countries such as Italy, Australia, Germany, Sweden, Thailand, and Israel each saw 2.17% of incidents, showing that Western Europe and Asia-Pacific regions remain highly targeted zones, especially for mid- to high-tier ransomware operators.

A long tail of nations—including Belgium, Taiwan, Malaysia, Croatia, Portugal, Saudi Arabia, Colombia, Denmark, Panama, Bangladesh, Argentina, and Ecuador—each accounted for 1.09% of global ransomware activity. This reflects the truly global nature of ransomware campaigns, which increasingly affect smaller economies and emerging markets alongside their larger counterparts.