In the first quarter of 2025, Sophos Incident Response aided an organization targeted by attackers affiliated with the 3AM ransomware group.
3AM
3AM, also referred to as ThreeAM, is a ransomware operation first publicly reported in 2023 and assessed by multiple researchers as closely linked to Royal and BlackSuit, with broader ties to former Conti operators.
Profile source: Mallory opens in a new tab3AM
Family profile
3AM, also referred to as ThreeAM, is a ransomware operation first publicly reported in 2023 and assessed by multiple researchers as closely linked to Royal and BlackSuit, with broader ties to former Conti operators. It has been described as either a newer iteration or rebranding within that lineage, and its tradecraft overlaps with ecosystems associated with Conti, Royal, and BlackBasta-affiliated activity.
3AM is used in targeted intrusions rather than indiscriminate mass deployment. Observed operations have combined social engineering, remote access abuse, stealthy foothold establishment, lateral movement, data theft, and attempted encryption. In one documented 2025 intrusion, attackers used email bombing followed by a spoofed support call to impersonate internal IT staff and convince an employee to grant access through Microsoft Quick Assist. The operators then deployed a QEMU-based virtual machine containing the QDoor backdoor, giving them a covert foothold that initially evaded endpoint monitoring. From there, they used compromised accounts, command execution, remote desktop access, and commercial remote-management software to move through the environment, attempted to weaken defensive controls including MFA and endpoint protection, exfiltrated large volumes of data to cloud storage, and finally launched 3AM ransomware from an unmanaged server.
The malware’s operational model is consistent with modern double-extortion ransomware: theft of victim data followed by attempted encryption and public pressure. 3AM operators have maintained a leak site for publishing victim data and have experimented with amplifying extortion pressure through social media by publicizing breaches to victims’ followers. Researchers have also noted infrastructure and tooling overlaps with broader Conti-linked tradecraft, including use of backdoors, tunneling mechanisms, and commodity malware historically seen in related ransomware campaigns.
3AM primarily targets Windows enterprise environments. Reported activity indicates interest in organizations where remote administration pathways, identity compromise, and unmanaged systems can be leveraged to bypass defenses. The group has appeared in the broader ransomware landscape affecting commercial organizations and has been discussed alongside other major extortion operations active after the fragmentation of Conti.
Capabilities
- Defense Evasion
- Exfiltration
- Extortion
- Lateral Movement
- Post Exploitation
- Reconnaissance
Ransomware.live
Operational record
Ransomware.live
Recent claims
Reported operators
Threat actors
2 named in public reportingSecurity researchers analyzing the activity of the recently emerged 3AM ransomware operation uncovered close connections with infamous groups, such as the Conti syndicate and the Royal ransomware gang.
MITRE ATT&CK
3AM in ATT&CK
11 distinct techniquesTechniques
11 techniquesReporting
Research mentioning 3AM
“Stern” Ransomware Operator Sanctioned by EU
As the Chainalysis Reactor graph below shows, Stern transacted with numerous ransomware strains, including Ryuk, Conti, Diavol, Karakurt, Royal, 3am, Quantum, and Bitpaymer.
A familiar playbook with a twist: 3AM ransomware actors dropped virtual machine with vishing and Quick Assist | SOPHOS
In the first quarter of 2025, Sophos Incident Response aided an organization targeted by attackers affiliated with the 3AM ransomware group.
Dragos Industrial Ransomware Analysis: Q3 2025 | Dragos
“Minimal-activity Groups… such as 3AM… each registered one incident.”
CTI Roundup: Go Infostealers, 3AM Ransomware, & RedLine/Vidar Malware | Tanium
3AM Ransomware is mentioned as a threat in the CTI Roundup, indicating its activity in the ransomware landscape.
Ransomware Hit $1 Billion in 2023
“…Royal ransomware, and its newer iteration known as 3am…”
Researchers link 3AM ransomware to Conti, Royal cybercrime gangs
Security researchers analyzing the activity of the recently emerged 3AM ransomware operation uncovered close connections with infamous groups, such as the Conti syndicate and the Royal ransomware gang.