Skip to content
Ransomware group Windows

3AM

3AM, also referred to as ThreeAM, is a ransomware operation first publicly reported in 2023 and assessed by multiple researchers as closely linked to Royal and BlackSuit, with broader ties to former Conti operators.

Profile source: Mallory opens in a new tab

3AM

Family profile

3AM, also referred to as ThreeAM, is a ransomware operation first publicly reported in 2023 and assessed by multiple researchers as closely linked to Royal and BlackSuit, with broader ties to former Conti operators. It has been described as either a newer iteration or rebranding within that lineage, and its tradecraft overlaps with ecosystems associated with Conti, Royal, and BlackBasta-affiliated activity.

3AM is used in targeted intrusions rather than indiscriminate mass deployment. Observed operations have combined social engineering, remote access abuse, stealthy foothold establishment, lateral movement, data theft, and attempted encryption. In one documented 2025 intrusion, attackers used email bombing followed by a spoofed support call to impersonate internal IT staff and convince an employee to grant access through Microsoft Quick Assist. The operators then deployed a QEMU-based virtual machine containing the QDoor backdoor, giving them a covert foothold that initially evaded endpoint monitoring. From there, they used compromised accounts, command execution, remote desktop access, and commercial remote-management software to move through the environment, attempted to weaken defensive controls including MFA and endpoint protection, exfiltrated large volumes of data to cloud storage, and finally launched 3AM ransomware from an unmanaged server.

The malware’s operational model is consistent with modern double-extortion ransomware: theft of victim data followed by attempted encryption and public pressure. 3AM operators have maintained a leak site for publishing victim data and have experimented with amplifying extortion pressure through social media by publicizing breaches to victims’ followers. Researchers have also noted infrastructure and tooling overlaps with broader Conti-linked tradecraft, including use of backdoors, tunneling mechanisms, and commodity malware historically seen in related ransomware campaigns.

3AM primarily targets Windows enterprise environments. Reported activity indicates interest in organizations where remote administration pathways, identity compromise, and unmanaged systems can be leveraged to bypass defenses. The group has appeared in the broader ransomware landscape affecting commercial organizations and has been discussed alongside other major extortion operations active after the fragmentation of Conti.

Capabilities

  • Defense Evasion
  • Exfiltration
  • Extortion
  • Lateral Movement
  • Post Exploitation
  • Reconnaissance

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Recent claims

All published claims ↗

Reported operators

Threat actors

2 named in public reporting
Storm-1811

In the first quarter of 2025, Sophos Incident Response aided an organization targeted by attackers affiliated with the 3AM ransomware group.

Conti

Security researchers analyzing the activity of the recently emerged 3AM ransomware operation uncovered close connections with infamous groups, such as the Conti syndicate and the Royal ransomware gang.

MITRE ATT&CK

3AM in ATT&CK

11 distinct techniques

Reporting

Research mentioning 3AM

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.