Home / Malware Reports / 3AM Ransomware Report

3AM Ransomware Overview

3AM ransomware is a newly emerging malware strain that has recently been discovered when a ransomware operator deployed the malware following failed attempts to distribute LockBit ransomware on target systems. Following infiltration, the threat actor delivered second-stage payloads, including Cobalt Strike, to further propagate the implementation of their attack chain. 3AM ransomware is a 64-bit executable written in Rust and has been classified as a completely new strain of ransomware within the threat landscape. The most prominent current events involving 3AM ransomware include its usage as a fallback during a failed LockBit attack, where it was deployed on three machines within the target organi sation’s network.

The technical components of 3AM ransomware attempt to stop security and back-up services prior to encrypting files with the extension ‘. THREEAMTIME’ and deleting the original files. The ransomware also attempts to delete Volume Shadow copies and drops a ransom note in each scanned folder. The encrypted files contain a marker string followed by the stolen data, and the ransom note threatens to sell the stolen data unless the ransom is paid, which is consistent with the traditional double-extortion strategy employed by threat actors.


Successful exploitation by 3AM ransomware will almost certainly result in the encryption and exfiltration of significant quantities of data held on the compromised system, prior to a ransom of a predetermined value being issued. The ransom amount demanded will almost certainly depend on the estimated value of the compromised organisation.

Furthermore, such a compromise of data will also result in the organisation incurring a negative reputational impact. Encrypted data may include private customer data, corporate finance data and system credentials that if released can assist threat actors with future attacks.

Incident Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats such as those implemented by 3AM ransomware. EDR solutions can alert system users of potential breaches and stop further progress before the ransomware can inflict significant damage.

The Quorum Cyber Threat Intelligence team provides ransomware reports so that you can better understand the threats facing your organisation.

Download your report to read more today.