ThreeAM attacks ABCOR
Date:
February 22, 2024
Overview
Title
ThreeAM attacks ABCOR
Victim
ABCOR
Attacker
Location
Size of Attack
Unknown/TBD
First Reported
February 22, 2024
Last Updated
October 31, 2022
ABCOR has been attacked by the ThreeAM ransomware group. The company has not commented on the breach, so it’s unclear how the negotiations are going. 3AM detailed the victim’s profile on its public platform but no other information is available. Abcor specializes in metal production and parts assembly. Products range in size and complexity from chassis rails and cross members for the truck industry, to stainless steel grab rails to aluminium bull bars and bumpers to audio brackets for the OEM transport industry. In late 2023, a new and distinct ransomware group named ThreeAM or 3AM Ransomware reared its ugly head. It appeared to play the role of ‘second fiddle’ to other ransomware, particularly during unsuccessful deployments of the notorious LockBit ransomware. ThreeAM appears to be a Russian-speaking group, as it is employed by other bad actors who also have the LockBit variant and has mostly Western-affiliated countries in its crosshairs. However, they are not only a secondary option, ThreeAM sets itself apart through several unique technical characteristics. Strikingly, it is developed using Rust, distinguishing itself as a novel player in the ransomware world. It functions as a 64-bit executable and was designed to disrupt applications, backup systems, and security software. It targets specific files, renames them with a “.threeamtime” extension, and attempts to remove Volume Shadow copies, highlighting its destructive capabilities. ThreeAM operational sequence involves meticulous pre-encryption activities, targeting and disabling particular services, especially those related to security and backup, from well-known vendors. At first, ThreeAM approach uses the “gpresult” command to extract policy settings from the victim’s system. A reconnaissance phase follows, involving a range of commands for network and server enumeration, establishing persistence, and data exfiltration using tools such as the Wput FTP client. ThreeAM is also known to use command-line parameters for targeted operations, which include specifying the encryption method and controlling the encryption speed. Once these services are neutralized, it initiates its file encryption process, appending a unique ‘.threeamtime’ extension to encrypted files. Moreover, it tries to delete Volume Shadow copies, a tactic that is used to hamper data recovery efforts. These technical nuances highlight a fairly sophisticated approach to attacks, although the extortion methods the group uses are conventional.
This attack's description was not found, while we work on the detailed account of this attack we invite you to browse through other recent Rasomware Attacks in the table below.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.