Security researchers analyzing the activity of the recently emerged 3AM ransomware operation uncovered close connections with infamous groups, such as the Conti syndicate and the Royal ransomware gang.
The 3AM ransomware gang's activity was first documented publicly in mid-September when the Threat Hunter Team at Symantec, now part of Broadcom, revealed that they noticed threat actors switching to ThreeAM ransomware after failing to deploy the LockBit malware.
According to researchers at French cybersecurity company Intrinsec, ThreeAM is likely connected to the Royal ransomware group - now rebranded as Blacksuit, a gang of former members of Team 2 within the Conti syndicate.
The link between 3AM ransomware and the Conti syndicate became stronger as Intrinsec progressed in their investigation of the group's tactics, infrastructure used in attacks, and communication channels.
Using an IP address that Symantec listed as a network indicator of compromise in their report on the threat actor's attack, Intrinsec researchers found on VirusTotal a PowerShell script for dropping Cobalt Strike that had been detected since 2020.
Previously, IcedID was used to deliver ransomware from XingLocker, which rebranded as Quantum, and Conti groups.
Intrinsec found the same IP subnet in a report from cybersecurity and managed services company Bridewell last April, which notes that the ALPHV/BlackCat ransomware operation hosted its backend infrastructure exclusively on the UAB Cherry Servers ISP, used IP addresses in the same subnet, and some of them have been associated with the IcedID malware that had been used for Conti attacks.
Intrinsec's technical finding aligns with threat intelligence from RedSense saying that ALPHV is an allied group that is not part of the Conti syndicate but could help the gang in various ways to carry out attacks.
Digging for more public information about ThreeAM, Intrinsec's cyber threat intelligence team discovered that the gang likely tested a new extortion technique using automated replies on X to broadcast news of their successful attacks.
3AM ransomware replied with a link to 3AM's data leak site on Tor network to tweets from the victim as well as various accounts, some with hundreds of thousands of followers, such as the example below.
Intrinsec researchers determined that ThreeAM used the same message in an automated fashion to respond to multiple tweets from some of the victim's followers.
Surprisingly, 3AM's site looks very similar to the one the LockBit ransomware operation uses.
The Conti cybercrime syndicate was the largest and most aggressive ransomware operation between 2020 and when it shut down in May 2022 following a data breach known as Conti Leaks.
The syndicate split into multiple cells and the ransomware brand dissolved but many of its members and affiliates partnered with other operations, contributing with experienced individuals for all stages of an attack, from target analysis and initial access, to negotiations, infrastructure, developers, and operators.
Because of a post on a hacker forum, some researchers speculate that one of the leaders of the Royal group is a threat actor calling themselves Baddie.
No other evidence has been disclosed publicly about this and ransomware these days is a constantly shifting scene, and Baddie could have just been working with multiple ransomware-as-a-service operations, Bohuslavskiy says.
Vans, North Face owner says ransomware breach affects 35 million people.
TeamViewer abused to breach networks in new ransomware attacks.
MGM Resorts ransomware attack led to $100 million loss, data theft.
Majorca city Calvià extorted for $11M in ransomware attack.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sat, 20 Jan 2024 15:15:28 +0000