A new ransomware family called 3AM has emerged in the wild after it was detected in a single incident in which an unidentified affiliate deployed the strain following an unsuccessful attempt to deliver LockBit (attributed to Bitwise Spider or Syrphid) in the target network.
“The ransomware attempts to stop multiple services on the infected computer before it begins encrypting files. Once encryption is complete, it attempts to delete Volume Shadow (VSS) copies.”
In the attack spotted by Symantec, the adversary is said to have managed to deploy the ransomware to three machines on the organization’s network, only for it to be blocked on two of those machines.
The intrusion is notable for using Cobalt Strike for post-exploitation and privilege escalation, following it up by running reconnaissance commands to identify other servers for lateral movement. The exact ingress route employed in the attack is unclear.
“Ransomware affiliates have become increasingly independent from ransomware operators,” Symantec said.
“New ransomware families appear frequently and most disappear just as quickly or never manage to gain significant traction. However, the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it may be of interest to attackers and could be seen again in the future.”
Source: https://thehackernews.com/