3am

ransomware group

3AM, also known as ThreeAM, is a relatively new ransomware family that emerged in late 2023, initially deployed as a fallback option when LockBit infections failed. Written in Rust for 64-bit systems, it appends the “.threeamtime” extension to encrypted files and tags them with the marker “0x666,” while deleting Volume Shadow Copies to hinder recovery. 3AM operators use a double extortion strategy, combining file encryption with data theft and threats to leak stolen information. More recent campaigns have shown increased sophistication, incorporating email bombing followed by vishing calls to convince victims to grant remote access via Microsoft Quick Assist. Attackers then deploy virtual machines containing backdoors, allowing them to remain undetected while exfiltrating data before attempting to launch the ransomware payload.