LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile 3AM

3AM Ransomware: The Rust-Written LockBit Backup That Became Its Own Operation

3AM emerged in September 2023 as a fallback option for LockBit affiliates when LockBit infrastructure was disrupted. Written in Rust, targeting Windows and ESXi environments, the group has operated independently through 2025-2026 with a focus on SMB and mid-market targets in North America and Europe. This profile covers known TTPs, victim patterns, and detection indicators.

By Ransomware Tracker ·
3AMransomwareRustLockBitgroup-profileESXidouble-extortionSMBSymantecBroadcom
Threat Level
8/10
Sectors Targeted
manufacturing
professional-services
healthcare
technology
legal
Ransomware Family
3AM

3AM is a ransomware operation that emerged publicly in September 2023 when it was first documented by Broadcom’s Symantec Threat Hunter Team. The initial discovery was notable for the context: 3AM appeared in an intrusion where the primary ransomware payload had been a LockBit deployment. When LockBit was blocked on the target system, the affiliate switched to 3AM as a fallback. That first observation established 3AM’s operational relationship to the LockBit ecosystem — shared affiliates, backup deployment — and suggested organised coordination rather than independent origin.

Since that initial documentation, 3AM has operated as a standalone ransomware-as-a-service operation, continuing to add victims through 2024 and 2025 as LockBit faced sustained law enforcement pressure.

Origins and LockBit Connection

The September 2023 Symantec report described an intrusion where a LockBit 3 deployment failed after defensive tools blocked it on most target systems. The attacker, rather than abandoning the operation, deployed 3AM ransomware on three machines before defensive response contained it. The fallback behaviour indicated that the affiliate had access to 3AM as an alternative — suggesting either that 3AM operators were actively recruiting LockBit affiliates at a period of LockBit instability, or that the affiliate maintained dual affiliations.

The relationship between 3AM operators and LockBit’s core team is not publicly established. Attribution has been limited to Symantec’s telemetry and open-source reporting. What is documented is the targeting and TTP overlap with LockBit-affiliated intrusions: similar initial access vectors, similar Active Directory enumeration techniques, and deployment timing consistent with LockBit operational playbooks.

Technical Profile

Language: Rust — a deliberate choice common to modern ransomware groups. Rust offers memory safety, cross-platform compilation, and produces binaries that are more resistant to reverse engineering than C/C++ equivalents. Akira, Cicada3301, and several other active groups have also adopted Rust.

Platforms targeted: Windows (primary) and VMware ESXi. ESXi targeting allows attackers to encrypt virtualised environments at scale — a single ESXi host with dozens of virtual machines can be encrypted faster and more completely than targeting each VM individually.

Encryption: The ransom note and file naming convention use the .threeamtime extension. The encryptor targets a broad range of file types while specifically avoiding Windows system files and directories to maintain system operability (and to maintain the victim’s ability to negotiate and pay).

Pre-encryption activity: 3AM deploys standard pre-ransomware preparation:

  • Volume Shadow Copy deletion via vssadmin delete shadows /all /quiet
  • Windows Backup service termination
  • Defensive tool process termination (security software, backup agents)
  • Credential harvesting for lateral movement prior to encryption
  • Data exfiltration to threat actor-controlled infrastructure before encryption runs

Exfiltration for double extortion: 3AM operates a data leak site (“The Three AM Times”) where data from non-paying victims is published. The double extortion model follows the standard pattern: ransomware encryption disrupts operations, data theft creates secondary pressure through threatened publication of confidential information.

Initial Access and Intrusion TTPs

3AM intrusions documented through 2024-2025 show consistent initial access patterns:

Exposed RDP and VPN credentials. The majority of documented 3AM intrusions began with credential-based access to internet-facing remote access infrastructure. This is consistent with the group purchasing access from Initial Access Brokers (IABs) or directly brute-forcing exposed RDP.

Phishing with macro-enabled documents. A smaller proportion of documented intrusions used phishing emails with document attachments as the initial vector.

Software vulnerability exploitation. Some intrusions exploited unpatched VPN appliances and remote management software, though vulnerability exploitation is a less common initial vector than credential abuse.

Post-initial access TTPs largely follow standard RaaS playbooks:

  • Living-off-the-land with tools including net, nltest, whoami, ipconfig for enumeration
  • Cobalt Strike or similar C2 deployment for persistent access and lateral movement
  • BloodHound or SharpHound for Active Directory mapping
  • Rclone or MEGAsync for bulk exfiltration
  • Deployment of ransomware payload via PsExec or GPO across compromised domain

Victim Profile

3AM targets a different segment than the largest ransomware operations. While groups like LockBit, ALPHV, and RansomHub have pursued large enterprise and critical infrastructure targets (which attract law enforcement attention and complex negotiations), 3AM has concentrated on:

  • SMBs and mid-market companies (50–2,000 employees) across North America and Western Europe
  • Professional services firms: Law firms, accounting firms, consulting firms — targets with high data sensitivity relative to their security posture
  • Manufacturing: Mid-sized manufacturers with limited IT security staff and high sensitivity to operational disruption
  • Healthcare: Regional healthcare providers and healthcare technology companies

This targeting preference mirrors the observed strategy of groups like Akira and Fog — larger volumes of smaller, lower-profile victims rather than fewer high-profile targets. Lower-profile victims attract less law enforcement attention, have less leverage in negotiations, and have lower likelihood of having cyber insurance that requires expert incident response.

Ransom demands reported in 3AM cases range from tens of thousands to several million dollars, consistent with the mid-market targeting profile.

Defensive Priorities

For organisations in 3AM’s target profile (SMB/mid-market, professional services, manufacturing):

Eliminate exposed RDP. RDP should not be internet-facing under any circumstances. If remote access is required, implement it through a VPN or Zero Trust Network Access (ZTNA) solution with MFA. Exposed RDP is the primary initial access vector for 3AM and dozens of other ransomware operators.

MFA on all remote access. VPN, RDP via jump host, and remote desktop solutions must require MFA. Credential-based attacks fail when a stolen password alone is insufficient.

Immutable backups. 3AM’s pre-encryption activity specifically targets Windows Volume Shadow Copies and backup services. Backups stored on the same domain-joined infrastructure as production are vulnerable to deletion. Offline, air-gapped, or immutable object storage backups (e.g., S3 Object Lock, Azure Immutable Blob Storage) survive ransomware campaigns.

Monitor for pre-ransomware TTPs. The command execution patterns prior to ransomware deployment are more detectable than the ransomware itself. VSS deletion, backup service termination, and bulk rclone exfiltration are detectable with adequate endpoint telemetry and alerting. An organisation that detects these patterns has hours to respond before encryption begins.

Limit service account privileges. Ransomware deployment via GPO or PsExec requires domain administrator access. Minimising the number of accounts with domain admin, auditing privileged account usage, and alerting on domain controller access from unexpected sources reduces the blast radius of any credential compromise.

Current Activity Level

3AM maintains consistent operational activity through 2025-2026. The group’s lean toward mid-market targets means individual incidents receive less media coverage than attacks on large enterprises, but victim counts on the group’s leak site indicate sustained operations. The LockBit enforcement actions of February and May 2024 disrupted some LockBit affiliate operations; affiliates seeking alternatives included 3AM among their options, providing a recruitment pathway that likely sustained the group’s operational capacity through the broader LockBit disruption period.

// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting