{ "id": "35900511-3de7-4a84-87e1-af3a89887eb6", "created_at": "2026-04-06T00:07:51.838486Z", "updated_at": "2026-04-10T03:26:47.050259Z", "deleted_at": null, "sha1_hash": "c6fbdbc3a5a16c8f5ad86020f855bcc93725a24a", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46084, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:02:15 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool 3AM\r\n Tool: 3AM\r\nNames 3AM\r\nCategory Malware\r\nType Ransomware, Big Game Hunting\r\nDescription\r\n(Symantec) A new ransomware family calling itself 3AM has emerged. To date, the\r\nransomware has only been used in a limited fashion. Symantec’s Threat Hunter Team, part of\r\nBroadcom, has seen it used in a single attack by a ransomware affiliate that attempted to\r\ndeploy LockBit on a target’s network and then switched to 3AM when LockBit was blocked.\r\n3AM is written in Rust and appears to be a completely new malware family. The ransomware\r\nattempts to stop multiple services on the infected computer before it begins encrypting files.\r\nOnce encryption is complete, it attempts to delete Volume Shadow (VSS) copies. It is still\r\nunclear whether its authors have any links to known cybercrime organizations.\r\nInformation\r\n\u003chttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit\u003e\r\nLast change to this tool card: 12 October 2023\r\nDownload this tool card in JSON format\r\nAll groups using tool 3AM\r\nChanged Name Country Observed\r\nAPT groups\r\n  LockBit Gang [Unknown] 2019-May 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=edd78e6e-9ac3-4a71-a2fc-5e47c8aa3fd8\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=edd78e6e-9ac3-4a71-a2fc-5e47c8aa3fd8\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=edd78e6e-9ac3-4a71-a2fc-5e47c8aa3fd8\r\nPage 2 of 2\n\nAPT groups LockBit Gang [Unknown] 2019-May 2025\n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=edd78e6e-9ac3-4a71-a2fc-5e47c8aa3fd8" ], "report_names": [ "listgroups.cgi?u=edd78e6e-9ac3-4a71-a2fc-5e47c8aa3fd8" ], "threat_actors": [ { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434071, "ts_updated_at": 1775791607, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c6fbdbc3a5a16c8f5ad86020f855bcc93725a24a.pdf", "text": "https://archive.orkl.eu/c6fbdbc3a5a16c8f5ad86020f855bcc93725a24a.txt", "img": "https://archive.orkl.eu/c6fbdbc3a5a16c8f5ad86020f855bcc93725a24a.jpg" } }