When LockBit Ransomware Fails, Attackers Deploy Brand-New '3AM'

In a recent attack against a construction company, hackers who failed to execute LockBit in a target network were observed deploying a second, never-before-seen ransomware, which managed to break through.

The new tool is rather standard fare, blocking various cybersecurity and backup-related software before locking up files on its host computer. But it distinguishes itself with an adorable little theme: 3 a.m., a time when perhaps only insomniacs, hardcore night owls, and black hat hackers are still up and working away.

In a report this week, researchers from Symantec described the first observed use of 3AM — a double-whammy attack in which the LockBit ransomware was blocked but then 3AM squeaked through in one compromised machine.

"This is not the first time we've seen attackers use more than one ransomware family," warns Dick O'Brien, principal intelligence analyst for the Symantec threat hunter team. "Organizations should expect this to happen."

It's 3AM, Do You Know Where Your Files Are?

Upon infiltrating its target network, the threat actors in this case immediately began gathering user information and deploying tools for data harvesting. Early on, for instance, they deployed Cobalt Strike and used the remote command tool PsExec to try to escalate privileges.

Next, they ran reconnaissance commands like whoami (prints the username), netstat (displays the network status), and so on; attempted to list other servers they could use for lateral movement; and added a new user for purposes of persistence. Then, they used the Wput utility to upload the victim's files to their own file transfer protocol (FTP) server.

At this point, with everything in place, the attackers intended to deploy LockBit — the latest sensation in modern ransomware-as-a-service. Unfortunately for them, the target's cybersecurity protections wholly blocked the deployment of LockBit.

But unfortunately for the victim, the attackers had a second cyber weapon on hand: 3AM. The malware is so named because it appends encrypted files with the suffix ".threeamtime" and references that time of day in its ransom note.

"Hello," the note begins. "'3 am' The time of mysticism, isn't it? All your files are mysteriously encrypted, and the systems 'show no signs of life', the backups disappeared. But we can correct this very quickly and return all your files and operation of the systems to [sic] original state."

Tired Malware Catches Antivirus Sleeping

Compared with the note, the authors demonstrated less creativity in writing the malware itself.

3AM is a 64-bit executable written in Rust, an increasingly popular coding language for hackers and defenders alike. It has a long list of security and backup-related software it attempts to kill on its host machine, then proceeds to do its dirty work: scanning the disk, identifying certain kinds of files, encrypting them, dropping the ransom note, then deleting any Volume Shadow (VSS) backup copies of files that might otherwise give the victim respite.

In this first deployment, attackers only managed to deploy 3AM onto three machines, and it was subsequently blocked on two. It successfully penetrated the third, though, where LockBit could not. Rather than some testament to the power of 3AM, O'Brien figures, "it likely worked because it was a previously unseen threat, whereas LockBit is known." The hackers claim to have stolen sensitive data from the compromised machine, though Symantec could not verify that.

When it comes to stopping a piece of ransomware, let alone two, O'Brien advises that "defense in depth is the best strategy. Ransomware attacks are a multistage operation, and organizations should address all stages of a potential attack and not just focus on blocking payloads."

"The earlier you stop an attack, the better," he says.