Close ties to notorious organizations like the Conti syndicate and the Royal ransomware gang were found by security researchers examining the activity of the recently discovered 3AM runsomeware operation.
Three AM, also known as ThreeAM, has also been experimenting with a new form of extortion, including sharing information about data leaks with the victim’s social media followers and using bots to respond to high-ranking accounts on X ( previously Twitter ) with messages pointing to the leak.
3AM is connected to the Conti cybercrime network.
The Threat Hunter Team at Symantec, which is now a part of Broadcom, revealed that they observed threat actors switching to ThreeAM ransomware after failing to deploy the LockBit malware in mid-September, when the activity of the 3AM gang was first made public.
Researchers at the French cybersecurity firm Intrinsec believe that ThreeAM is most likely associated with the Royal ransomware group, now , also known as Blacksuit, a group of former Team 2 members who are now part of the Conti syndicate.
As Intrinsec advanced in their investigation of the group’s strategies, infrastructure used in attacks, and communication channels, the connection between 3AM ransomware and the Conti syndicate  grew stronger.
According to a report from Intrinsec that was made public by BleepingComputer, 3AM and the Conti syndicate had” significant overlaps” in terms of communication channels, infrastructure, tactics, techniques, and procedures ( TTPs ).
Symantec listed that IP address and nbsp as a network indicator of compromise ( 185.202.0 [. ] Intrinsec researchers discovered on VirusTotal a PowerShell script for dropping Cobalt Strike that had been detected since 2020 in their report on the threat actor’s attack.
Intrinsec also discovered a SOCKS4 proxy on TCP port 8000, which is typically used for tunneling communication. ” The signature associated with this Socks4 service was displayed on two IP addresses showing such a proxy hallmark since mid-2022,” according to the researchers.
Additionally, Intrinsec analysts discovered a TLS certificate for an RDP service on the” DESKTOP- TCRDU4C” computer, which is linked to attacks starting in the middle of 2022, some of which used the IcedID malware dropper in campaigns against Royal ransomware.
Prior to XingLocker’s rebranding as Quantum and Conti groups, ransomware was delivered using IcedID.
Additionally, the researchers discovered that the HTML content from 3AM’s Tor network data leak site was accessible via the open web because it had been indexed by the Shodan platform for internet-connected servers.
An “nginx product that could be used to proxy network traffic upstream towards a genuine server” was identified by Shodan, according to the researcher.
Following the trail, Intrinsec discovered that 27 additional servers, all hosted by a company called” UAB Cherry Servers,” shared the same Apache httpd banner on the server.
Cherry Servers is a Lithuanian hosting company with comparatively low fraud risk, but due to threat intelligence services, the company’s clients have been known to host malware, including Cobalt Strikeand .
Six of the 27 servers shared the same port, protocol, Apache product, autonomous system ( AS16125 ), organization, and “limited liability company” ( llc ) code, according to a closer look.
In addition, the TLS certificates from Google Trust Services LLC, which were transferred to Cloudflare, were present in the domains at the IP addresses under analysis.
The ALPHV/BlackCat ransomware operation used IP addresses in the same subnet, and some of them have been linked to the , IcedID malware that had been used for Conti attacks, according to a report from cybersecurity and managed services company Bridewell published in April.
The technical findings of Intrinsec are consistent with RedSense’s threat intelligence, which states that ALPHV is an allied group that is not a part of the Conti syndicate but may assist the gang in carrying out attacks in various ways.
Twitter bots are being tested to exert pressure on victims.
The cyber threat intelligence team at Intrinsec found that ThreeAM likely tested a novel extortion strategy by using automated responses on X ( previously Twitter ) to announce their successful attacks.
Last August 10th, the threat actor created an X/Twitter account, which he used to leave “numerous replies” mentioning one of its victims and directing users to the data leak site.
In response to tweets from the victim as well as various accounts, some of which had hundreds of thousands of followers, such as the example below, 3AM ransomware provided a link to the Tor network’s data leak site 3AMS s .
This strategy was probably used to spread the word about the attack and subsequent data leak as well as to harm the victim’s business reputation, a U.S. company that offered automated packaging services.
Researchers from Intrinsec found that ThreeAM automatically responded to several tweets from some of the victim’s followers using the same message.
In the private report shared with BleepingComputer, Intrinsec writes,” We assess with good confidence that an X/Twitter bot was likely , used to conduct such a name and shame campaign.”
The increased volume and frequency of ThreeAM responses —sometimes as many as 86 per day, well above the average for a real user, and roughly four per minute—points to this theory.
It is important to note that this strategy seems to have only been used with one 3AM victim, most likely because it did not produce the desired outcomes for the threat actor.
A list of 19 victims who did not pay the ransom and whose information the threat actor leaked can be found at the Tor network’s 3AM data leak site. Surprisingly, the website for 3AM resembles the one used by the LockBit ransomware operation quite a bit.
Although the gang exhibits less operational security and ThreeAM intrusion sets appear to be a less sophisticated subgroup of Royal, Intrinsec warns that it should n’t be undervalued and could still launch numerous attacks.
The Conti business
Between 2020 and May 2022, the Conti cybercrime syndicate was the biggest and most aggressive ransomware operation. It was shut down as a result of the Data Leaks data breach.
The operation’s affiliates compromised more than 40 organizations in less than a month during one of its , most successful hacking sprees, taking only three days from initial access to encrypting systems.
Many of the syndicate’s members and affiliates  partnered with other businesses, contributing with knowledgeable people at every stage of an attack, from target analysis and initial access to negotiations, infrastructure, developers, and operators. The ransomware brand also disintegrated into multiple cells.
Royal ransomware,” the direct heir of Conti,” is one continuation, according to Yelisey Bohuslavskiy, a closed andnbsp operation with members who are personally acquainted with one another.
Some researchers believe that one of the Royal group’s leaders, is a threat actor by the name of Baddie as he was mentioned in an online hacker forum post. However, no additional information has been made public about this, and ransomware is a dynamic topic these days. According to Bohuslavskiy, Baddie may have simply been involved in several different service-based operations ( RaaS ) operations.
It can be challenging to identify a specific gang’s members or connect them to an operation in an environment as chaotic as affiliates working with numerous RaaS groups.