threeam

85 tracked victims

·first seen 2023-08-04·last activity 2026-06-12

Group profile

A new Ransomware family identified by the name '3AM' or 'ThreeAM' in September 2023. The ransomware operation was observed by the Symantec team, in which a ransomware affiliate attempted to deploy another ransomware, LockBit, on the target network and then switched to 3AM when LockBit was reportedly blocked.<BR> > <BR> > The ransomware operation, according to the publication on its Tor-based website, has been operating since mid-August 2023, according to the publication from its first victim.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs

MITRE ATT&CK TTPs

TA0003

Persistence

T1136Create Account
The threat actor using the 3AM ransomware performed account creation to ensure persistence.

TA0004

Privilege Escalation

T1543.003Service Execution
The threat actor used PsExec to take advantage of a Windows service to escalate from administrator privileges to SYSTEM.
T1548.002Bypass User Account Control
The threat actor may use Cobalt Strike for a series of known techniques to bypass Windows UAC.

TA0005

Defense Evasion

T1070.001Clear Windows Event Logs
The executable clears Windows event logs after its execution.
T1562.004Disable or Modify System Firewall Settings
The threat actor uses commands to set the discovery policy of other hosts on the network, altering the Firewall policy.

TA0007

Discovery

T1018Remote System Discovery
Utilizes Advanced IP Scanner and MASSCAN to discover remote systems.
T1135Network Share Discovery
The threat actor executed reconnaissance commands like 'whoami, netstat, quser, net view, and net share' to enumerate other servers.
T1615Group Policy Discovery
The threat actor used commands like 'gpresult' to dump applied policy settings on the computer for a user (Group Policy).

TA0010

Exfiltration

T1048Exfiltration Over Alternative Protocol
The threat actor used the 'Wput' tool to exfiltrate files from the victim to their own server via FTP.

TA0040

Impact

T1486Data Encrypted for Impact
The ransomware encrypts files and appends the '.threeamtime' extension after encryption.
T1490Inhibit System Recovery
The 3AM ransomware deletes volume shadow copies on the disk and backups through the commands presented in the analysis.

Recent victims

showing 50 of 85

Date	Website / victim	Sector	Country
2026-05-15	jetmachprod.comjetmachprod.com	Manufacturing
2026-04-30	jastrebarsko.hrjastrebarsko.hr	Not Found	HR
2026-05-09	palmero.compalmero.com	Not Found
2026-05-11	insamani.com.arinsamani.com.ar	Not Found	AR
2026-06-12	bsynchro.combsynchro.com	Technology	DE
2026-05-14	molinoscabodi.com.armolinoscabodi.com.ar	Agriculture and Food Production	AR
2026-05-13	ws.com.brws.com.br	Business Services	BR
2026-05-17	consultic.beconsultic.be	Business Services	BE
2026-06-12	amc.org.auamc.org.au	Not Found	AU
2026-06-12	agroexportavocados.comagroexportavocados.com	Agriculture and Food Production	MX
2026-05-24	hoplongtech.comhoplongtech.com	Technology	VN
2026-06-12	mgrlaw.commgrlaw.com	Business Services	US
2025-06-02	wyomingcountyny.govwyomingcountyny.gov	Public Sector	US
2025-06-25	sequoiadental.comsequoiadental.com	Healthcare	US
2025-08-31	townofnorwell.nettownofnorwell.net	Public Sector	US
2026-05-01	curedentalbeltontx.comcuredentalbeltontx.com	Healthcare	US
2025-08-07	austinplasticandreconstructivesurgery.comaustinplasticandreconstructivesurgery.com	Healthcare	US
2025-09-20	hsjlawyers.comhsjlawyers.com	Business Services
2025-09-26	bun.nlbun.nl	Agriculture and Food Production	NL
2025-11-19	aceforwarding.comaceforwarding.com	Transportation/Logistics
2025-11-27	ic-controls.comic-controls.com	Manufacturing	DE
2025-02-06	kkp.lawkkp.law	Business Services	US
2025-02-18	iss-na.comiss-na.com	Business Services	US
2025-02-21	icgad.comicgad.com	Construction	US
2025-03-19	dbhcares.comdbhcares.com	Healthcare	US
2025-02-06	icmtx.comicmtx.com	Technology	US
2024-03-03	jastreet.comjastreet.com	Construction	US
2025-02-18	neffendorfblockercpa.comneffendorfblockercpa.com	Financial Services	US
2025-05-25	gosvt.comgosvt.com	Technology	US
2025-05-20	vazirilaw.comvazirilaw.com	Business Services	US
2025-01-15	leonardo.comleonardo.com	Technology	IT
2025-02-01	sehma.comsehma.com	Healthcare	DE
2025-02-05	corehandf.comcorehandf.com	Consumer Services	US
2025-01-30	soitinlaine.fisoitinlaine.fi	Consumer Services	FI
2025-01-15	anwsd.organwsd.org	Education	US
2024-11-27	hapsch.dehapsch.de	Healthcare	DE
2024-11-29	kuritaamerica.comkuritaamerica.com	Manufacturing	JP
2024-12-04	hobokennj.govhobokennj.gov	Public Sector	US
2024-11-13	midstatesindustrial.commidstatesindustrial.com	Manufacturing	US
2024-09-28	anuenterprise.com.auanuenterprise.com.au	Business Services	AU
2024-10-31	inhometexas.cominhometexas.com	Healthcare	US
2024-10-08	caillau.com.brcaillau.com.br	Manufacturing	BR
2024-10-10	sandray.comsandray.com	Manufacturing	US
2024-10-24	mpspromotions.commpspromotions.com	Business Services	AU
2024-10-19	freedomhomecare.netfreedomhomecare.net	Healthcare	US
2024-10-24	carolinaarthritis.comcarolinaarthritis.com	Healthcare	US
2024-10-10	oklahomasleepinstitute.comoklahomasleepinstitute.com	Healthcare	US
2024-09-30	verco.co.ukverco.co.uk	Manufacturing	GB
2024-09-30	carlile-group.comcarlile-group.com	Transportation/Logistics	GB
2024-06-18	sacredheart.southwark.sch.uksacredheart.southwark.sch.uk	Education	GB