New Cybercrime Group “3am” Shows Ties with Conti Syndicate and Royal Group
In recent months, specialists from Intrinsec have become intrigued by a new player in the cybercrime arena called 3am (Threeam), which has demonstrated close connections with the Conti syndicate and Royal group.
Unique Tactics of Blackmail and Data Leakage
3am is gaining attention for their innovative methods of blackmail. Utilizing bots, the group disseminates information about data leakage through the social networks of victims. By sending messages to official accounts on the X platform, they indicate data leaks and demand ransom.
Direct Connection with Conti and Royal Ransomware
The first indications of 3am’s activities surfaced in September when the Symantec team discovered that attackers had switched to using Threeam software following an unsuccessful attempt to deploy malicious Lockbit. Further investigations have revealed that Threeam is likely affiliated with the Royal group, formerly known as Blacksuit, which consists of ex-members of the Team 2 group within the Conti syndicate.
Technical Evidence and Infrastructure Analysis
Intrinsec experts have found significant overlaps in communication channels, infrastructure, and Tactics, Techniques, and Procedures (TTPs) between 3am and Conti. By tracking the IP address provided by Symantec as an indicator of compromise (185.202.0 [.] 111), researchers discovered a PowerShell script for launching Cobalt Strike, a tool previously identified in 2020. Additionally, similarities were observed in the activities of the Zeon-Monk program, as well as the use of malicious ICEDID, previously employed by the XingLocker and Conti groups for delivering malware.
Researchers also discovered that the 3AM HTML-Contracting Site on TOR was indexed by the ShODAN platform for internet-connected servers, indicating that it was accessible through regular web browsing. The website displays a list of 19 victims whose data was published after they refused to pay the ransom. Surprisingly, the