New 3AM Ransomware Used as a Backup to LockBit Infection | Cyware Hacker News

A new ransomware family dubbed 3AM has emerged in the threat landscape. It was detected in an attack by a LockBit affiliate who attempted to deploy the ransomware when LockBit was blocked on the targeted network.

Diving in details

  • It begins with the use of the gpresult command to retrieve the policy settings for a particular user system.
  • Additionally, actors deployed several components of Cobalt Strike and attempted to gain higher privileges on the computer utilizing PsExec.
  • Subsequently, they executed commands such as whoami, netstat, quser, and net share for reconnaissance purposes.
  • To ensure persistence, they created a new user and employed the Wput tool to transmit the victims’ files to their FTP server.
  • In the final stage, when LockBit was blocked in the first attempt, the attackers resorted to the 3AM ransomware that was deployed on three systems on the organization’s network.


Written in Rust language, the 3AM ransomware gets its name from the fact that it appends encrypted files with the .threeamtime extension. Additionally, the ransom text mentions the ransomware’s name.

What more?

The ransomware is currently being used in limited attacks. Its exact origins remain unknown. However, the fact that 3AM ransomware was used as a fallback by a LockBit affiliate suggests that it may attract the interest of other attackers and could be seen in more attacks in the future.


3AM is one of the many ransomware families written in Rust. Given the rising popularity of this language among ransomware developers, it is recommended that organizations work on improving their defenses by investigating IOCs associated with the ransomware. Besides, a modern-day TIP can optimize detection and investigation processes while helping organizations to thwart such threats in real time.