Overview
Three AM (3AM) is a Rust-based ransomware first observed in 2023, initially seen deployed as a fallback when LockBit deployments were blocked. The group has since operated independently, running their own leak site. The use of Rust suggests a sophisticated development team.
Tactics, Techniques & Procedures
Used as LockBit fallback, Rust-based ransomware, double extortion
Primary Targets
Enterprise networks, varied sectors
Indicators of Compromise
- 3AM Rust ransomware binary
- Cobalt Strike
- remote utilities
MITRE ATT&CK Techniques
T1486T1059.006 PythonT1041
Quick Reference
| Status | ACTIVE |
| Type | Ransomware |
| First Seen | 2023 |
| Victims Tracked | Monitored |
Dark Web Presence
http://threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onionhttp://threeam7fj33rv5twe5ll7gcrp3kkyyt6ez5stssixnuwh4v3csxdwqd.onion/recoveryhttp://threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion/show-posts
Under Attack?
If you believe threeam has targeted your organisation, contact Binary Response immediately.
Emergency Response Dark Web Monitoring →