Ethical Hacking News
The 3AM ransomware operation highlights the importance of robust security measures, effective threat detection, and employee awareness. Learn how to defend against these threats with the latest tactics and techniques from cybersecurity experts.
The 3AM ransomware affiliate uses spoofed IT calls and email bombing to socially engineer employees into giving credentials for remote access. The gang's tactics bear similarities to those employed by the Black Basta ransomware gang, indicating a clear escalation of sophistication in social engineering tactics. Email bombing is used to overwhelm employees with unsolicited emails, making them more susceptible to social engineering tactics. Spoofed IT calls are used to impersonate an employee's real IT department and gain remote access to corporate systems. The QEMU emulator is used by the attackers to evade detection by security software and maintain persistence on infected systems. The attackers perform reconnaissance using WMIC and PowerShell, creating a local admin account to connect via RDP. Data exfiltration is the final stage of a 3AM ransomware attack, involving the transfer of sensitive data to cloud storage.
The cyber threat landscape continues to evolve, with new tactics and techniques emerging every day. In recent months, a specific type of attack has garnered significant attention from security experts and researchers alike: the use of spoofed IT calls and email bombing by the 3AM ransomware affiliate. This article aims to provide an in-depth examination of this phenomenon, exploring its origins, methods, and implications for organizations and individuals alike.
The 3AM Ransomware Operation: A Brief Overview
The 3AM ransomware operation was first observed in late 2023, with the malware being linked to the Conti and Royal ransomware gangs. The gang's involvement was later confirmed by Sophos, a leading cybersecurity firm that specializes in threat detection and response.
According to Sophos, the 3AM ransomware affiliate has conducted highly targeted attacks using email bombing and spoofed IT support calls to socially engineer employees into giving credentials for remote access to corporate systems. This tactic is not new; however, its effectiveness has driven a wider adoption among threat actors.
The Black Basta Ransomware Gang: A Precursor to 3AM
The use of social engineering tactics by the 3AM ransomware affiliate bears striking similarities to that employed by the Black Basta ransomware gang. In 2021, the FBI revealed that the Black Basta gang was responsible for a series of high-profile ransomware attacks against organizations in the United States and Europe.
The gang's tactics included using vishing (voice phishing) via Microsoft Teams, Quick Assist abuse, and email bombing. These methods were later observed to be used by the 3AM ransomware affiliate, indicating a clear escalation of sophistication in social engineering tactics.
Email Bombing: A Key Component of 3AM Ransomware Attacks
Email bombing is a technique where an attacker sends a large volume of unsolicited emails to a target's inbox. This tactic is often used in conjunction with other phishing methods to increase the chances of success.
In the case of 3AM ransomware attacks, email bombing was used to overwhelm employees with unsolicited emails, making them more susceptible to social engineering tactics. According to Sophos, the attacker sent 24 unsolicited emails in just three minutes, a clear attempt to maximize the impact of their phishing campaign.
Spoofed IT Calls: A Novel Twist on Social Engineering
The use of spoofed IT calls is a novel twist on traditional social engineering tactics. By impersonating an employee's real IT department and claiming that malicious activity has occurred, attackers can gain remote access to corporate systems.
In one notable case, the 3AM ransomware affiliate used a spoofed phone number to make a call to an unsuspecting employee. The attacker convinced the employee to open Microsoft Quick Assist and grant remote access, supposedly as a response to malicious activity. This tactic is reminiscent of the Quick Assist abuse tactics employed by the Black Basta gang.
Evading Detection: QEMU Emulator Used in 3AM Ransomware Attacks
To evade detection by security software, the 3AM ransomware affiliate used a QEMU emulator. QEMU is an open-source emulator that allows attackers to create virtual machines on compromised systems, routing network traffic through these virtual environments.
This tactic allows attackers to bypass traditional security measures and maintain persistence on infected systems, even if security tools are employed. According to Sophos, the 3AM ransomware affiliate used a QEMU emulator to evade detection by security software and ensure that their malware remained active even after attempts were made to block lateral movement.
Reconnaissance and Lateral Movement: A Two-Pronged Attack
Once inside the network, the attackers performed reconnaissance using WMIC and PowerShell, creating a local admin account to connect via RDP. They also installed the commercial RMM tool XEOXRemote and compromised a domain administrator account.
This two-pronged attack allowed the attackers to gather sensitive information, maintain persistence on infected systems, and expand their access to more areas of the network. According to Sophos, this approach is typical of advanced persistent threats (APTs), which are designed to stay hidden within an organization for extended periods.
Data Exfiltration: The Final Stage of 3AM Ransomware Attacks
The final stage of a 3AM ransomware attack involves exfiltrating sensitive data from the compromised systems. In this case, the attackers used the GoodSync tool to transfer 868 GB of data to Backblaze cloud storage.
Although Sophos' products blocked lateral movement and defense deactivation attempts, the attacker still managed to exfiltrate data, highlighting the importance of robust security measures in preventing such attacks.
Prevention is Key: Lessons Learned from 3AM Ransomware Attacks
The 3AM ransomware operation highlights the importance of employee awareness, robust security measures, and effective threat detection. According to Sophos, several key defense steps can be taken to block these attacks:
1. Auditing administrative accounts for poor security
2. Using XDR tools to block unapproved legitimate tools like QEMU and GoodSync
3. Enforcing signed scripts only via PowerShell execution policies
4. Setting up blocklists using available indicators of compromise
By implementing these measures, organizations can significantly reduce the risk of falling victim to 3AM ransomware attacks.
Conclusion
The 3AM ransomware operation is a stark reminder of the evolving threat landscape in the cybersecurity world. The use of spoofed IT calls and email bombing by this affiliate highlights the importance of robust security measures, effective threat detection, and employee awareness.
As attackers continue to evolve their tactics and techniques, it is essential that organizations remain vigilant and proactive in defending against these threats. By learning from past attacks like 3AM ransomware, we can improve our defenses and create a safer digital environment for all users.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Sophisticated-Phishing-Tactics-of-3AM-Ransomware-A-Study-on-the-Evolution-of-Social-Engineering-Attacks-ehn.shtml
Published: Wed May 21 14:56:00 2025 by llama3.2 3B Q4_K_M
