BleepingComputer reports that the recently discovered 3AM ransomware operation, also known as ThreeAM, has been found to be associated with the Conti and Royal ransomware gangs.
Initially reported to have been used by threat actors who were unsuccessful with LockBit malware attacks, 3AM ransomware was discovered to have a potential connection with Royal ransomware that consists of former Conti syndicate members, according to a report from Intrinsec.
Both 3AM and Conti also had significantly overlapping infrastructure, communication channels, and tactics, techniques, and procedures, with the newly emergent ransomware gang observed to have used a Cobalt Strike-deploying PowerShell script and a SOCKS4 proxy on TCP port 8000, as well as a TLS certificate from a machine linked to Royal ransomware attacks in 2022.
Such ties have been uncovered as 3AM ransomware was noted to have begun testing a novel extortion technique that involved broadcasting its successful heists through automated replies on X, formerly Twitter.
"We assess with good confidence that an X/Twitter bot was likely used to conduct such a name and shame campaign," said researchers.
Ransomware, Threat Intelligence
Newly emergent 3AM ransomware operation’s ties examined
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds