ABCOR Targeted by ThreeAM Ransomware Group

ABCOR has been attacked by the ThreeAM ransomware group. The company has not commented on the breach, so it’s unclear how the negotiations are going. 3AM detailed the victim’s profile on its public platform but no other information is available. Abcor specializes in metal production and parts assembly. Products range in size and complexity from chassis rails and cross members for the truck industry, to stainless steel grab rails to aluminium bull bars and bumpers to audio brackets for the OEM transport industry.

The Rise of ThreeAM Ransomware

In late 2023, a new and distinct ransomware group named ThreeAM or 3AM Ransomware reared its ugly head. It appeared to play the role of ‘second fiddle’ to other ransomware, particularly during unsuccessful deployments of the notorious LockBit ransomware. ThreeAM appears to be a Russian-speaking group, as it is employed by other bad actors who also have the LockBit variant and has mostly Western-affiliated countries in its crosshairs. However, they are not only a secondary option, ThreeAM sets itself apart through several unique technical characteristics.

Strikingly, it is developed using Rust, distinguishing itself as a novel player in the ransomware world. It functions as a 64-bit executable and was designed to disrupt applications, backup systems, and security software. It targets specific files, renames them with a “.threeamtime” extension, and attempts to remove Volume Shadow copies, highlighting its destructive capabilities.

Technical Approach of ThreeAM

ThreeAM operational sequence involves meticulous pre-encryption activities, targeting and disabling particular services, especially those related to security and backup, from well-known vendors. At first, ThreeAM approach uses the “gpresult” command to extract policy settings from the victim’s system. A reconnaissance phase follows, involving a range of commands for network and server enumeration, establishing persistence, and data exfiltration using tools such as the Wput FTP client. ThreeAM is also known to use command-line parameters for targeted operations, which include specifying the encryption method and controlling the encryption speed.

Once these services are neutralized, it initiates its file encryption process, appending a unique ‘.threeamtime’ extension to encrypted files. Moreover, it tries to delete Volume Shadow copies, a tactic that is used to hamper data recovery efforts. These technical nuances highlight a fairly sophisticated approach to attacks, although the extortion methods the group uses are conventional.