A new wave of highly targeted 3AM ransomware attacks is leveraging email bombing and spoofed IT support calls to breach corporate networks, according to recent threat intelligence reports1. The attacks, attributed to former Conti and BlackBasta affiliates, represent an evolution in social engineering tactics combined with technical evasion techniques.
Executive Summary
The 3AM ransomware operation has shifted from being a LockBit fallback option in 2023 to a sophisticated threat employing multi-stage social engineering. Key characteristics include:
- Initial Access: Email bombing campaigns (thousands of spam messages) obscure follow-up vishing attempts via Microsoft Teams or phone calls2
- Technical Evasion: QEMU virtual machine deployment bypasses endpoint detection while QDoor backdoor (Rust-based) establishes C2 channels3
- Lateral Movement: Abuse of RMM tools like Syncro and data exfiltration via GoodSync to Backblaze storage4
- Encryption: Files marked with
.threeamtimeextension and0x666hexadecimal marker5
Attack Chain Analysis
The operational timeline begins with email bombing campaigns flooding target organizations with spam messages. This serves two purposes: overwhelming security filters and conditioning employees to overlook malicious follow-up communications. Within 24-48 hours, attackers initiate vishing attempts posing as IT support staff, typically requesting Quick Assist or other remote access tool installation2.
Once initial access is achieved, the attackers deploy a QEMU virtual machine containing the ransomware payload. This technique, first documented by Sophos researchers in May 2025, allows the malware to operate outside the host’s native environment, evading signature-based detection3. The VM executes the QDoor backdoor, which establishes persistence through:
| Technique | Implementation |
|---|---|
| Persistence | Creation of SupportUser local admin accounts |
| C2 Communication | Encrypted traffic to 88.118.167.239 (Lithuanian IP) |
| Lateral Movement | Abuse of Syncro RMM and GoodSync for data exfiltration |
Defensive Countermeasures
Effective mitigation requires both technical controls and human factors management. Organizations should implement application control policies to block unauthorized virtualization software like QEMU and restrict RMM tool usage to approved personnel only. Network segmentation should isolate critical systems, with VLANs enforcing communication boundaries between departments6.
Endpoint protection solutions with behavioral analysis capabilities have demonstrated effectiveness against 3AM’s execution chain. Sophos CryptoGuard successfully intercepted encryption attempts in observed cases by detecting the ransomware’s file modification patterns3. Mandatory MFA for all remote access methods remains the most effective barrier against credential theft through vishing.
Operational Relevance
The 3AM operation shares Tactics, Techniques, and Procedures (TTPs) with Storm-1811, a group known for Teams-based social engineering7. This connection suggests possible collaboration or shared infrastructure among threat actors specializing in corporate network infiltration. The Rust-based implementation of QDoor indicates a trend toward cross-platform compatibility and improved evasion capabilities compared to earlier C++ variants.
Security teams should monitor for the following Indicators of Compromise (IoCs):
“3 am… The time of mysticism” – ransom note signature observed in 3AM attacks1
Additional behavioral indicators include sudden spikes in email traffic followed by unusual remote desktop protocol (RDP) connections, particularly outside business hours. The average dwell time before ransomware deployment is approximately 9 days, providing a detection window for proactive threat hunting3.
Conclusion
The 3AM ransomware campaign demonstrates the increasing sophistication of social engineering combined with technical evasion methods. While the ransomware itself has shown vulnerabilities to modern endpoint protection, the initial access vectors remain highly effective against unprepared organizations. Continuous employee training on vishing recognition, coupled with strict application control policies, forms the most robust defense against this evolving threat.
References
- Symantec. (2023). 3AM ransomware emerges as LockBit fallback option.
- BleepingComputer. (2025). 3AM ransomware uses spoofed IT calls, email bombing to breach networks.
- Sophos. (2025). A familiar playbook with a twist: 3AM ransomware actors dropped virtual machine with vishing and Quick Assist.
- Quorum Cyber. (2025). 3AM ransomware technical analysis report.
- NJCCIC. (2024). Ransomware threats gaining momentum: 3AM variant analysis.
- Adlumin. (2023). MGM Resorts cyberattack analysis: Social engineering case study.
- Microsoft. (2024). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware.
