• Home
  • News
  • 3AM Ransomware Hits DS Granit

New 3AM Ransomware Hits DS Granit

Miklos Zoltan

By Miklos Zoltan . 22 November 2023

Founder - Privacy Affairs

3AM ransomware, the newest and most unusual cyber-threat program, claimed another victim in the form of DS Granit, a company specializing in the supply and installation of granite, quartz, and Dekton ceramic worktops.

  • This attack is part of a new string of hits in the last quarter of 2023, credit to 3AM ransomware
  • The 3AM ransomware group hit DS Granit on the 22 of November, as reported by the company’s administrative
  • The 3AM ransomware is a newcomer, one of the latest installments in the cyberthreat space and one that caused a lot of confusion
  • This type of ransomware operates based on an outdated PHP script called Yugeon Web Clicks v0.1, which released back in 2004
  • 3AM got its name from the fact that it encrypts files with the extension .threeamtime

DS Granit is one of the malware’s latest victims and there haven’t been many. It appears that 3AM is only being used selectively, only on handpicked targets. Currently, Threat Hunter Team has only recorded one other incident that involved 3AM.

In that particular case, the attacker used LockBit against the victim, but switched to 3AM when LockBit failed. 3AM worked, but not because it was so advanced that it circumvented the victim’s firewall. In fact, the contrary is true.

The peculiar thing about 3AM is that it uses a very outdated tool to operate, namely the Yugeon Web Clicks script v0.1.

It may seem bizarre that such a modern cyberthreat would operate based on such an old and outdated script, but there may be a method to the madness.

One of the potential explanations is that the attackers rely on the fact that modern firewalls aren’t set to recognize such ancient scripts.

Image showing a post on X about the ThreeAM attack on DS Granit
https://twitter.com/FalconFeedsio/status/1727254340274896933

Another is that they rely on the #ransomware classification to simply discourage victims from even attempting a solution on their own.

The intimidation alone would suffice in convincing them to pay. This allows the attackers to circumvent the costs of a more modern and complex PHP script while still having the desired effect.

Who or What Is 3AM?

At this point, there is very limited data to work with in relation to the 3AM ransomware, because the program has been deployed rarely.

So far, 3AM seems to be a backup plan for failed LockBit attacks, but more research is necessary to reach a definitive conclusion.

3AM is coded in Rust and operates in classical ransomware fashion, encrypting files and linking the user to a basic Tor network for negotiation.

The victims are supposed to use the passkey present in the ransom note to connect and negotiate their access to their files. Experts advise to the contrary, because there’s no guarantee that the victim will get their files back anyway.

Our Mission

We believe security online security matters and its our mission to make it a safer place.

Leave a Comment