Ransomware LockBit Affiliate Deploys New 3AM Ransomware in Recent Attack
Introduction
In a recent attack, a LockBit affiliate deployed a new ransomware family known as 3AM after the execution of LockBit was blocked. The 3AM ransomware attempts to disable security and backup tools, delete volume shadow copies to prevent file recovery, and encrypt files with a ‘.threeamtime’ extension. This incident highlights the evolving tactics of ransomware operators and the need for improved cybersecurity measures.
Attack Details
During the observed attack, the threat actor launched several stages of the attack. Initially, they dumped the policy settings enforced on the victim’s computer for a specified user, deployed Cobalt Strike components, and attempted to escalate privileges. They then performed reconnaissance to identify other servers for lateral movement, added a new user for persistence, and exfiltrated the victim’s files.
The attackers initially attempted to execute the LockBit ransomware, but when it was blocked, they switched to the 3AM ransomware and successfully executed it on a single machine. The ransomware encrypts files on the compromised machine, deletes the original files, and leaves a ransom note named ‘RECOVER-FILES.txt’ in each folder it has scanned.
Implications and Analysis
The deployment of a new ransomware family by a LockBit affiliate indicates that ransomware operators are becoming more independent. This trend highlights the need for organizations and individuals to stay vigilant against evolving threats. The use of specific command-line parameters and the ability to stop targeted processes demonstrate the sophistication of the 3AM ransomware.
The fact that LockBit was blocked suggests that security tools are becoming more effective at preventing ransomware attacks. However, the switch to the 3AM ransomware shows the determination of threat actors to achieve their goals. The encryption of files and the deletion of backups pose a significant challenge for victims who may be unable to recover their data without paying the ransom.
Broader Context
The deployment of multiple ransomware families in the same attack, as observed with the 3AM and LockBit combination, is not an isolated incident. Symantec warns that other ransomware affiliates have also attempted to deploy different ransomware families, indicating a growing trend of independence among these threat actors. This diversification of tactics makes it even more crucial for organizations and individuals to adopt comprehensive cybersecurity measures.
Advisory and Recommendations
To protect against ransomware attacks, organizations and individuals should consider the following recommendations:
1. Maintain Up-to-Date Security Measures:
– Keep security software, such as antivirus and anti-malware, up to date on all devices.
– Regularly install software updates and patches to address known vulnerabilities.
2. Implement Strong Access Controls:
– Use strong, unique passwords for all accounts and enable multi-factor authentication where possible.
– Limit user privileges to only what is necessary for their roles.
3. Backup Important Data:
– Regularly back up critical data to offline or cloud storage. Ensure that backups are not accessible from the network to prevent their deletion during an attack.
– Test the restoration process periodically to ensure backup data integrity.
4. Educate Users:
– Train employees and individuals on safe browsing habits and how to identify phishing emails and malicious websites.
– Encourage reporting of any suspicious emails or activities.
5. Develop an Incident Response Plan:
– Establish a comprehensive incident response plan that outlines the steps to take in the event of a ransomware attack.
– Regularly test and update the plan to ensure its effectiveness.
6. Engage in Threat Intelligence:
– Stay informed about the latest threat landscape by following cybersecurity news and subscribing to reliable threat intelligence sources.
– Work with cybersecurity professionals or managed security service providers to gain insight into emerging threats and deploy appropriate defenses.
Conclusion
The deployment of the 3AM ransomware by a LockBit affiliate highlights the ever-evolving tactics of ransomware operators. Organizations and individuals must remain vigilant and continually improve their cybersecurity measures to protect against these threats. The adoption of recommended security practices, such as maintaining up-to-date security measures, implementing strong access controls, and backing up data, can help mitigate the risk of falling victim to ransomware attacks. Additionally, engaging in threat intelligence and developing an incident response plan are vital components of a comprehensive cybersecurity strategy.
<< photo by cottonbro studio >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Cyber Guardians of the Stadium: Securing the Future of Professional Sports
- The Importance of Proper IT Offboarding: 5 Pitfalls to Avoid
- The Rise of North Korean Cyber Crime: A Closer Look at the CoinEx Cryptocurrency Hack
- Unveiling the Longstanding Linux Malware Distribution on Compromised Free Download Manager Site
- Exploring the Vulnerabilities in Azure HDInsight: Data Access, Session Hijacking, and Payload Delivery
- “The Web of Intrigue: Unraveling the ‘Scattered Spider’ Behind MGM Cyberattack”
- The Rise of Ransomware Gangs: Unpacking the MGM Resorts Cyberattack
- The Urgent Call for Stringent Federal Mandates on Medical-Device Cybersecurity
- Exploring the Rise of Rust-Written 3AM Ransomware
