*By *
A LockBit affiliate recently launched a new ransomware family called 3AM in a recent attack after LockBit’s execution was blocked. According to Broadcom’s Symantec Threat Hunter Team, the 3AM ransomware attempts to disable multiple security and backup tools and delete volume shadow copies to prevent file recovery.
## The Attack Process
In this observed attack, the threat actor first dumped the policy settings enforced on the computer for a specified user and deployed several Cobalt Strike components to escalate privileges. Next, the attackers performed reconnaissance to identify other servers for lateral movement, added a new user for persistence, and exfiltrated the victim’s files. The initial plan was to execute the LockBit ransomware, but when it was blocked, the attackers switched to 3AM ransomware, which successfully encrypted files on a single machine.
The 3AM ransomware, written in Rust and deployed as a 64-bit executable, is capable of running specific command-line parameters and attempts to stop targeted processes. It then scans the drives for files that meet specific criteria, encrypts them, and deletes the original files. The ransomware adds the ‘.threeamtime’ extension to encrypted files and drops a ransom note named ‘RECOVER-FILES.txt’ in each scanned folder.
## Rising Independence of Ransomware Affiliates
Symantec reports that other ransomware affiliates have also been observed attempting to deploy two different ransomware families in the same attack, suggesting that affiliates are becoming more independent from ransomware operators. This trend highlights the evolving tactics employed by cybercriminals to maximize their chances of success.
“New ransomware families appear frequently, and most disappear just as quickly or never manage to gain significant traction. However, the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it may be of interest to attackers and could be seen again in the future,” Symantec notes.
## The Evolving Landscape of Ransomware Attacks
The use of multiple ransomware families in a single attack signifies a shift in the strategies employed by cybercriminals. Previously, ransomware attacks were mainly associated with specific ransomware groups. However, the growing independence of affiliates indicates a diversification of tactics and increased resilience to disruptions.
The constant emergence of new ransomware families underscores the continuous evolution of cyber threats and the need for organizations and individuals to remain vigilant in their security practices. Ransomware attacks pose a significant threat to businesses and individuals alike, as they can result in the loss of valuable data and financial damages.
## The Importance of Robust Cybersecurity Measures
To mitigate the risk of falling victim to ransomware attacks, individuals and organizations must prioritize cybersecurity measures. This includes:
1. **Advanced Threat Detection:** Implementing robust security solutions that can detect and prevent ransomware attacks. This includes proactive monitoring, threat intelligence, and machine learning-based detection algorithms.
2. **Regular Backups:** Creating regular backups of critical data and storing them offline or in secure cloud services. This ensures that in the event of an attack, files can be recovered without resorting to paying the ransom.
3. **Employee Education:** Conducting regular cybersecurity awareness training sessions to educate employees on the latest threats and best practices for avoiding phishing emails and malicious websites.
4. **Patching and Updates:** Keeping software and operating systems up to date with the latest security patches to prevent vulnerabilities that can be exploited by ransomware.
5. **Multi-Factor Authentication:** Enforcing multi-factor authentication for accessing sensitive systems and accounts to add an extra layer of security.
6. **Incident Response Plan:** Developing a comprehensive incident response plan that outlines the steps to be taken in case of a ransomware attack, including isolation of affected systems and communication with stakeholders.
## Conclusion
The recent deployment of the 3AM ransomware as a backup plan highlights the evolving tactics employed by ransomware affiliates. As organizations and individuals face an increasing risk of falling victim to ransomware attacks, it is crucial to prioritize robust cybersecurity measures. By implementing advanced threat detection, regular backups, employee education, patching and updates, multi-factor authentication, and an incident response plan, individuals and organizations can enhance their resilience against ransomware attacks.
<< photo by Maximalfocus >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Rage of LockBit: Unmasking the Menace of 3AM Ransomware
- Cyber Guardians of the Stadium: Securing the Future of Professional Sports
- The Importance of Proper IT Offboarding: 5 Pitfalls to Avoid
- Unveiling the Longstanding Linux Malware Distribution on Compromised Free Download Manager Site
- “The Web of Intrigue: Unraveling the ‘Scattered Spider’ Behind MGM Cyberattack”
- The Growing Threat: Exploring the Alarming Rise of Ransomware Attacks on the Healthcare Sector
- IBM’s New Data Security Broker Enhances Multicloud Encryption
- The Data Dilemma: Understanding Rwanda’s New Privacy Landscape
- The Dangers of Zero-Click Spyware: Russian Journalist Falls Victim to NSO Group’s Attack
- Claroty Revolutionizes Cyber-Physical Risk Reduction with New Vulnerability & Risk Management Capabilities
