Alert essentials:
An attack that failed to launch LockBit ransomware on a target network revealed a new ransomware strain named 3AM. The 3AM ransomware extortion follows the usual pattern of exfiltrating data before encrypting it and leaving a ransom note, warning that the stolen information will be sold if the attacker is not paid.

Email Team

Detailed threat description:
According to Symantec’s Threat Hunter Team, 3AM is a new ransomware that is written in Rust and does not belong to any known malware family. It tries to disable various security and backup software services from companies like Veeam, Acronis, Ivanti, McAfee, or Symantec before encrypting files on the infected system. The encrypted files have the “.THREEAMTIME” extension and the ransomware also attempts to erase Volume Shadow copies that could help restore the data. The researchers say that before launching a 3AM ransomware attack, the attacker uses a “gpresult” command to get the policy settings of a specific user on the system.

3AM Rust-based 64-bit executable recognizes the following command-line parameters:

  • “-k” – 32 Base64 characters, the “access key” in the ransom note
  • “-p” – unknown
  • “-h” – unknown
  • “-m” – method, where the code checks one of two values before running encryption logic:
    • “local”
    • “net”
  • “-s” – determines offsets within files for encryption to control encryption speed, expressed as decimal digits.

However, 3AM was not very effective in the attack that Symantec analyzed. The researchers say that the attacker could only deploy the malware on three machines of the targeted organization and its activity was blocked on two of them, indicating that there are already defenses against it.

Indicators of Compromise (IOC):
SHA256 file hashes:

079b99f6601f0f6258f4220438de4e175eb4853649c2d34ada72cce6b1702e22 – LockBit 307a1217aac33c4b7a9cd923162439c19483e952c2ceb15aa82a98b46ff8942e – 3AM 680677e14e50f526cced739890ed02fc01da275f9db59482d96b96fbc092d2f4 – Cobalt Strike

991ee9548b55e5c815cc877af970542312cff79b3ba01a04a469b645c5d880af – Cobalt Strike

ecbdb9cb442a2c712c6fb8aee0ae68758bc79fa064251bab53b62f9e7156febc – Cobalt Strike

Network indicators:
185.202.0[.]111
212.18.104[.]6
85.159.229[.]62

Potential detection strategies:
SIEM – Outbound connections to the known network indicators
SIEM – “Service stopped” threshold based detection for known security tools
SIEM/MDR – Detected use of gpresult command
MDR – Blacklisting the hashed known indicators

NOTE: Ransomware groups are known to deviate from their tactics minutely. As such, currently known hashes and signatures may not completely stop a successful attack. To assist in identifying this ransomware strain, the ransom note samples to date have included opening statements containing “3 am” or “threeam” in the dark web address, which may be needed to identify the associated threat group/payload strain should the file extension associated with this ransomware be altered.

Impacts on healthcare organizations
Healthcare is often targeted by advanced persistent threat groups employing ransomware and extortion tactics. At a minimum, a successful attack will result in stolen data, and potentially one or more systems presenting encrypted files. In more severe cases, multiple systems or entire networks can be encrypted and made unusable, significantly impacting patient care.

Affected products / versions

  • Various operating systems

CVE

  • No specific CVEs are associated with ransomware payloads. CVEs specifically refer to vulnerabilities that may be exploited to gain initial and persistent access to victim networks where ransomware like 3AM and others are then deployed.

KBs

Recommendations

Engineering recommendations:

  • Ensure adequate backups for critical systems such as servers, domain controllers, and workstations are available and tested
  • Consider alternate/off-site backups are available if immediate backup solutions are infected
  • Employ endpoint detection and response technologies to detect, prevent, and respond to signs of
  • infection
  • Drill incident response playbooks to cement the processes needed to combat such a threat

Leadership / program recommendations:

  • Coordinate tabletop exercises to ensure essential incident response tasks, including incident responders’ and leadership’s roles and responsibilities, are thoroughly understood
  • Open communication channels with enablers such as IR firms, cyber insurance, and legal teams to establish relationships before an incident occurs
  • Orchestrate and test IR notification and declaration procedures with internal and external IR enablers

Fortified Health Security is committed to maturing the cybersecurity posture of your healthcare organization. We will monitor and update this bulletin as the situation progresses.

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

 

References:

  1. https://www.bleepingcomputer.com/news/security/hackers-use-new-3am-ransomware-to-save-failed-lockbit-attack/
  2. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit
  3. https://www.broadcom.com/support/security-center/protection-bulletin