3AM
3AM is a ransomware operation first publicly documented in mid-September 2023 after Symantec observed threat actors switch to ThreeAM ransomware when deployment of LockBit failed. Reporting describes 3AM as a recently emerged ransomware group or newer iteration associated with Royal, with researchers identifying close connections to the Conti syndicate and the Royal ransomware gang, now rebranded as BlackSuit. Intrinsec reported significant overlap with Conti in communication channels, infrastructure, and TTPs, and also identified Royal-linked tradecraft including infrastructure associated with a PowerShell dropper for Cobalt Strike, SOCKS4 proxying activity on TCP port 8000, an RDP TLS certificate on a host named "DESKTOP-TCRDU4C," and use of the IcedID malware dropper seen in Royal campaigns. Palo Alto Unit 42 reporting also states that Procedural Scorpius, a ransomware group discovered in September 2023, distributes 3AM ransomware.
3AM uses data-leak extortion via a Tor leak site that reportedly listed 19 victims and visually resembled LockBit’s leak site. Researchers observed the group experimenting with an unusual pressure tactic on X/Twitter: an account created on August 10 of the prior year was used to mass-reply to high-profile accounts and a victim’s followers with links to the leak site, likely using automation or bots. Intrinsec assessed this tactic with good confidence based on reply volumes of up to 86 per day and roughly four per minute, and reported it appeared to have been used only once, against a U.S. company providing automated packaging services.
Infrastructure and indicators directly mentioned in reporting include IP address 185.202.0.111, which Symantec listed as a network IOC; SOCKS4 proxy activity on TCP port 8000; the host name "DESKTOP-TCRDU4C" in an RDP TLS certificate; and hosting/infrastructure overlaps involving UAB Cherry Servers, domains with TLS certificates from Google Trust Services LLC later transferred to Cloudflare, and a Shodan-indexed leak-site-related server. 3AM has been mentioned as active in the ransomware landscape and observed in active attacks, but the provided content does not specify a distinct encryption routine, ransom note format, or victimology beyond the noted victim example and general ransomware activity.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Security researchers analyzing the activity of the recently emerged 3AM ransomware operation uncovered close connections with infamous groups, such as the Conti syndicate and the Royal ransomware gang.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Minimal-activity ransomware brand referenced as part of the long-tail of operators.
3AM is a ransomware strain that encrypts files and demands payment for decryption, typically used in targeted attacks.
Ransomware strain described as a newer iteration/rebrand of Royal, linked (on-chain) to a TrickBot administrator (‘Stern’).
Ransomware operation; noted for experimenting with an extortion tactic that publicizes victim data leaks via automated replies on X/Twitter pointing to its Tor leak site.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.