ThreeAM attacks ABCOR

Incident Date:

February 22, 2024

World map

Overview

Title

ThreeAM attacks ABCOR

Victim

ABCOR

Attacker

Threeam

Location

Campbellfield, Australia

Victoria, Australia

First Reported

February 22, 2024

ABCOR Targeted by ThreeAM Ransomware Group

ABCOR has been attacked by the ThreeAM ransomware group. The company has not commented on the breach, so it’s unclear how the negotiations are going. 3AM detailed the victim’s profile on its public platform but no other information is available. Abcor specializes in metal production and parts assembly. Products range in size and complexity from chassis rails and cross members for the truck industry, to stainless steel grab rails to aluminium bull bars and bumpers to audio brackets for the OEM transport industry.

The Rise of ThreeAM Ransomware

In late 2023, a new and distinct ransomware group named ThreeAM or 3AM Ransomware reared its ugly head. It appeared to play the role of ‘second fiddle’ to other ransomware, particularly during unsuccessful deployments of the notorious LockBit ransomware. ThreeAM appears to be a Russian-speaking group, as it is employed by other bad actors who also have the LockBit variant and has mostly Western-affiliated countries in its crosshairs. However, they are not only a secondary option, ThreeAM sets itself apart through several unique technical characteristics.

Strikingly, it is developed using Rust, distinguishing itself as a novel player in the ransomware world. It functions as a 64-bit executable and was designed to disrupt applications, backup systems, and security software. It targets specific files, renames them with a “.threeamtime” extension, and attempts to remove Volume Shadow copies, highlighting its destructive capabilities.

Technical Approach of ThreeAM

ThreeAM operational sequence involves meticulous pre-encryption activities, targeting and disabling particular services, especially those related to security and backup, from well-known vendors. At first, ThreeAM approach uses the “gpresult” command to extract policy settings from the victim’s system. A reconnaissance phase follows, involving a range of commands for network and server enumeration, establishing persistence, and data exfiltration using tools such as the Wput FTP client. ThreeAM is also known to use command-line parameters for targeted operations, which include specifying the encryption method and controlling the encryption speed.

Once these services are neutralized, it initiates its file encryption process, appending a unique ‘.threeamtime’ extension to encrypted files. Moreover, it tries to delete Volume Shadow copies, a tactic that is used to hamper data recovery efforts. These technical nuances highlight a fairly sophisticated approach to attacks, although the extortion methods the group uses are conventional.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.