Malware Profile Updated 2 months ago
Download STIX
Preview STIX
ThreeAM, a developing ransomware group first identified by GRIT in September 2023, has been steadily increasing its operational tempo. This malicious software is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. It then disrupts operations, steals personal information, or holds data hostage for ransom. Notably, investigations into ThreeAM incidents revealed that the threat actor initially attempted to deploy the LockBit ransomware encryptor, but resorted to ThreeAM ransomware when LockBit failed. This sharing of LockBit and ThreeAM ransomware by at least one affiliate has drawn attention due to recent law enforcement operations threatening LockBit’s long-term viability. Symantec’s Threat Hunter Team was the first to identify the ThreeAM ransomware in the wild, noting the group's reference to the ThreeAM moniker in their ransom note and encrypted file extensions. In February, ThreeAM posted six victim organizations, marking their most active month since launching a data leak site containing presumably legacy victims. The group likely tested a new extortion technique using automated replies on X (formerly Twitter) to broadcast news of successful attacks, according to Intrinsec’s cyber threat intelligence team. Despite no evidence suggesting that ThreeAM operates as a Ransomware-as-a-Service (RaaS) operation, the increased activity since the launch of their data leak site may indicate an improvement in the quality and/or quantity of their operations. Over time, ThreeAM could emerge as a viable alternative to LockBit, potentially leading to a continued increase in victim volume. Researchers at French cybersecurity company Intrinsec have suggested that ThreeAM is likely connected to the Royal ransomware group, which has rebranded as Blacksuit, consisting of former members of Team 2 within the Conti syndicate.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Royal Ransomware
Royal Ransomware is a type of malware that has been causing significant disruptions in various sectors, particularly in the United States. Originating from the now-defunct Conti ransomware operation, Royal Ransomware was notorious for its multi-threaded encryption and ability to kill processes withi
BlackSuit is a malicious software (malware) that was introduced in May 2023, believed to be a rebranding of the Royal ransomware operation, which itself was a branch of the now-defunct Conti ransomware operation. Various sources have reported similarities in code between Royal and BlackSuit, further
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Data Leak
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LockBit is a type of malware, specifically ransomware, that infiltrates systems to steal data or disrupt operations, often demanding ransom in return for the release of the compromised data. Notable incidents include the LockBit ransomware gang claiming to have stolen and subsequently leaking data f
3AM is a new and sophisticated ransomware family that has emerged in the cyber threat landscape. This malware, designed to exploit and damage computer systems, infiltrates through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information
Akira is a notorious ransomware that has been wreaking havoc across various sectors. The malware, first reported by Sophos in December 2023, has demonstrated its ability to infiltrate systems and extract sensitive data. Its primary method of attack involves targeting systems without multi-factor aut
Clop is a notorious malware, short for malicious software, that is designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Clop can steal personal information, disrupt operations, or h
Conti is a type of malware, specifically ransomware, which was designed to infiltrate systems, disrupt operations, and potentially hold data hostage for ransom. The malware has been used by various threat actors, including ITG23, who have utilized it alongside other malicious software such as Trickb
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AlphV, a notorious threat actor in the cybersecurity industry, has been responsible for numerous high-profile ransomware attacks. The group's activities include the theft of 5TB of data from Morrison Community Hospital and hacking Clarion, a global manufacturer of audio and video equipment for cars.
Vice SocietyUnspecified
Vice Society, a threat actor group known for its malicious activities, has been linked to a series of ransomware attacks targeting various sectors, most notably education and healthcare. Throughout 2022 and the first half of 2023, Vice Society, along with Royal Ransomware, were actively executing mu
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Threeam Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
4 months ago
GRIT Ransomware Report: February 2024 | #ransomware | #cybercrime | National Cyber Security Consulting
9 months ago
Ransomware review: October 2023
6 months ago
Researchers link 3AM ransomware to Conti, Royal cybercrime gangs
9 months ago
Known Ransomware Attack Volume Breaks Monthly Record, Again
5 months ago
Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
10 months ago
Visiting Physicians Network in Texas silent about ransomware attack and incident response | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting