Security researchers analyzing the exercise of the just lately emerged 3AM ransomware operation uncovered shut connections with notorious teams, such because the Conti syndicate and the Royal ransomware gang.
3AM, additionally spelled ThreeAM, has additionally been making an attempt out a brand new extortion tactic: sharing information of an information leak with the sufferer’s social media followers and utilizing bots to answer to high-ranking accounts on X (previously Twitter) with messages pointing to information leaks.
3AM tied to Conti cybercrime syndicate
The 3AM ransomware gang’s exercise was first documented publicly in mid-September when the Threat Hunter Team at Symantec, now a part of Broadcom, revealed that they observed risk actors switching to ThreeAM ransomware after failing to deploy the LockBit malware.
According to researchers at French cybersecurity firm Intrinsec, ThreeAM is probably going related to the Royal ransomware group – now rebranded as Blacksuit, a gang of former members of Team 2 throughout the Conti syndicate.
The hyperlink between 3AM ransomware and the Conti syndicate grew to become stronger as Intrinsec progressed of their investigation of the group’s techniques, infrastructure utilized in assaults, and communication channels.
In a report shared with BleepingComputer, Intrinsec says that their evaluation of the risk actor revealed “a major overlap” in communication channels, infrastructure, and techniques, strategies, and procedures (TTPs) between 3AM and the Conti syndicate.
In one other discovering, Intrinsec noticed a SOCKS4 proxy on TCP port 8000 that’s usually used for tunneling communication. The researchers word that “the signature related to this Socks4 service was displayed on two IP addresses displaying such a proxy hallmark since mid-2022.”
“This timeline of exercise is consistent with the one recognized for Zeon ransomware, which was noticed in September 2022 in keeping with Trend Micro however may have first spiked even earlier in late January 2022” – Intrinsec
Furthermore, Intrinsec analysts recognized a TLS certificates for an RDP service on a machine known as “DESKTOP-TCRDU4C” that’s related to assaults from mid-2022, a few of them leveraging the IcedID malware dropper in campaigns from Royal ransomware.
supply: Intrinsic
A more in-depth evaluation revealed that six of the 27 servers shared the identical port, protocol, Apache product with the identical model, autonomous system (AS16125), group, and the textual content “llc” indicating a ‘restricted legal responsibility firm’.
Apart from this, the domains on the analyzed IP addresses had TLS certificates from Google Trust Services LLC and have been transferred to Cloudflare.
Intrinsec discovered the identical IP subnet in a report from cybersecurity and managed companies firm Bridewell final April, which notes that the ALPHV/BlackCat ransomware operation hosted its backend infrastructure solely on the UAB Cherry Servers ISP, used IP addresses in the identical subnet, and a few of them have been related to the IcedID malware that had been used for Conti assaults.
Intrinsec’s technical discovering aligns with risk intelligence from RedSense saying that ALPHV is an allied group that isn’t a part of the Conti syndicate however may assist the gang in numerous methods to hold out assaults.
Testing Twitter bots to stress victims
Digging for extra public details about ThreeAM, Intrinsec’s cyber risk intelligence staff found that the gang possible examined a brand new extortion approach utilizing automated replies on X (previously Twitter) to broadcast information of their profitable assaults.
The risk actor arrange an X/Twitter account final 12 months on August 10 and used it to depart “quite a few replies” mentioning one in all his victims and redirecting to the information leak website.
3AM ransomware replied with a hyperlink to 3AM’s information leak website on Tor community to tweets from the sufferer in addition to numerous accounts, some with lots of of hundreds of followers, comparable to the instance beneath.
supply: BleepingComputer
This tactic was possible employed to unfold the information of the assault and subsequent information leak and to wreck the enterprise status of the sufferer – a US firm offering automated packaging companies.
Intrinsec researchers decided that ThreeAM used the identical message in an automatic vogue to answer a number of tweets from among the sufferer’s followers.
“We assess with good confidence that an X/Twitter bot was possible used to conduct such a reputation and disgrace marketing campaign,” Intrinsec writes within the non-public report shared with BleepingComputer.
Pointing to this concept is the elevated quantity and frequency of ThreeAM replies, typically as many as 86 per day, nicely above the typical of an actual consumer, and round 4 per minute.
supply: Intrinsic
It is value noting that this tactic seems to have been employed solely with one 3AM sufferer, most likely as a result of it didn’t yield the outcomes the risk actor anticipated.
A take a look at 3AM’s information leak website within the Tor community exhibits an inventory of 19 victims who didn’t pay the ransom and whose information the risk actor leaked. Surprisingly, 3AM’s website seems similar to the one the LockBit ransomware operation makes use of.
Intrinsec notes that “though ThreeAM intrusion units appear to be a much less subtle subgroup of Royal” and the gang shows much less operational safety it shouldn’t be underestimated and it may nonetheless deploy numerous assaults.
The Conti syndicate
The Conti cybercrime syndicate was the biggest and most aggressive ransomware operation between 2020 and when it shut down in May 2022 following an information breach often known as Conti Leaks.
During one in all its most efficient hacking sprees, the operation’s associates compromised greater than 40 organizations in a bit of underneath a month, the quickest assaults taking simply three days from preliminary entry to encrypting programs.
The syndicate cut up into a number of cells and the ransomware model dissolved however lots of its members and associates partnered with different operations, contributing with skilled people for all phases of an assault, from goal evaluation and preliminary entry, to negotiations, infrastructure, builders, and operators.
One continuation is Royal ransomware, “the direct inheritor of Conti,” in keeping with RedSense cyber risk intelligence researcher Yelisey Bohuslavskiy, a closed operation with members realizing one another personally.
Because of a publish on a hacker discussion boardsome researchers speculate that one of many leaders of the Royal group is a risk actor calling themselves Baddie. However, no different proof has been disclosed publicly about this and ransomware today is a always shifting scene, and Baddie may have simply been working with a number of ransomware-as-a-service (RaaS) operations, Bohuslavskiy says.
On a scene as chaotic as associates working with a number of RaaS teams, it’s tough to trace the members of a selected gang or tie them to an operation.