A 3AM ransomware affiliate is conducting highly targeted attacks using email bombing and spoofed IT support calls to socially engineer employees into giving credentials for remote access to corporate systems.
This tactic was previously linked to the Black Basta ransomware gang and later observed in FIN7 attacks, but its effectiveness has driven a wider adoption.
Sophos reports seeing at least 55 attacks leveraging this technique between November 2024 and January 2025, linked to two distinct threat clusters.
Those attacks followed the BlackBasta playbook, including email bombing, vishing via Microsoft Teams, and Quick Assist abuse. The leak of Black Basta’s internal conversations helped other threat actors get up to speed, as it included a template to use during Microsoft Teams phishing attacks impersonating IT help desks.
The 3AM ransomware attack, targeting a Sophos client, occurred in the first quarter of 2025 and used a similar approach but with a twist of real phone phishing instead of Microsoft Teams.
The threat actors spoofed the target’s real IT department’s phone number to make the call appear legitimate. The call happened during an email bombing wave of 24 unsolicited emails received in three minutes.
The attacker convinced the employee to open Microsoft Quick Assist and grant remote access, supposedly as a response to malicious activity.
Next, the attacker downloaded and extracted a malicious archive from a spoofed domain, containing a VBS script, a QEMU emulator, and a Windows 7 image pre-loaded with QDoor backdoor.
QEMU was used to evade detection by routing network traffic through virtual machines created on the platform, which allowed persistent, yet undetected, access to the network.
Through this means, the attackers performed reconnaissance using WMIC and PowerShell, created a local admin account to connect via RDP, installed the commercial RMM tool XEOXRemote, and compromised a domain administrator account.
Although Sophos says its products blocked lateral movement and defense deactivation attempts, the attacker still exfiltrated 868 GB of data to Backblaze cloud storage using the GoodSync tool.
Sophos’ tools also blocked subsequent attempts to run the 3AM ransomware encryptor, so the damage was contained to data theft and the encryption of the compromised host.
Source: Sophos
The attack lasted 9 days, with data theft concluded by day three, with the threat actors subsequently blocked from spreading further.
Source: Sophos
Sophos suggested several key defense steps that can be taken to block these attacks, including auditing administrative accounts for poor security, using XDR tools to block unapproved legitimate tools like QEMU and GoodSync, and enforcing signed scripts only via PowerShell execution policies.
It is also recommended that available indicators of compromise be used to set up blocklists that prevent intrusion from known malicious sources.
Ultimately, email bombing and voice phishing can only be effectively blocked by increasing employee awareness.
The 3AM ransomware operation launched in late 2023 and was later linked to the Conti and Royal ransomware gangs.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Source link
-
-
-
-
-
-
-
-
