A new ransomware strain dubbed “3AM” has been detected in a single incident being used where an attempt to infect a victim with LockBit ransomware had been blocked.

Detailed today by researchers from the Symantec Threat Hunting team, 3AM is written in the Rust programming language and is believed to be a completely new malware family. The ransomware attempts to stop multiple services on the infected computer before it begins encrypting files. Once encryption is complete, it attempts to delete Volume Shadow copies.

The unknown threat actors behind the attack were detected using a gpresult command to dump the policy settings enforced on the computer for a specified user. The attacker also used Cobalt Strike components and attempted to escalate privileges on the targeted computer using PsExec. Various other reconnaissance commands were used and the attacker also added a new user for persistence.

Where the attack path becomes interesting is that the attackers first attempted to install LockBit ransomware, but they were blocked. Having been blocked, the attacker then attempted to deploy 3AM instead. The attack is described as only partially successful, with the attackers only managing to deploy it on three machines on the targeted organization’s network and it was blocked on two of those three computers.

While new ransomware families appear frequently and most disappear just as quickly or never gain traction, the Symantec researchers note that the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it may be used again in the future.

The LockBit ransomware gang operates on a ransomware-as-a-service model where affiliates use already-developed ransomware to execute attacks. LockBit has regularly been one of the most prolific ransomware groups online since emerging in 2020 and was named as the most active threat actor in January.

“The emergence of the 3AM ransomware group signals a concerning new phase in the evolution of ransomware,” James McQuiggan, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE.  “While only detected in one campaign so far, this group is incorporating service stopping and data deletion of VSS along with exfiltrating data before encrypting files.”

McQuiggan noted that the use of the Rust programming language shows their ability to adapt and innovate. “Ransomware groups like 3AM represent a clear and present danger to organizations of all kinds,” McQuiggan added, “To defend against this threat, business leaders must prioritize ransomware resilience.”

Image: Ideogram