ThreeAM Ransomware

Download 10+ pages of ThreeAM Ransomware's latest criminal behaviors, previous industry and geographic targets, exploited vulnerabilities, criminal associations, and MITRE ATT&CK mappings.

Download Now

About This Threat Profile

First Identified: 2023

Threat Type:
Ransomware-as-a-Service (RaaS)

Extortion method:
Double Extortion – where the operators encrypt victim data and exfiltrate sensitive data and threat to leak that data if the ransom is not paid.

Most frequently targeted industry:

  • Healthcare

Most frequently targeted victim HQ region: North America

Known Associations:

  • BlackSuit Ransomware
  • Conti Ransomware
  • Zeon Ransomware

Select MITRE ATT&CK Mappings

    • Initial Access
      • Valid accounts, vulnerability exploitation, social engineering (MITRE ATT&CK: T1078, T1190, T1566)
    • Persistence
      • Create account, create/modify system process (MITRE ATT&CK: T1136, T1543)
    • Lateral Movement
      • Exploit remote services, RDP, lateral tool transfer (MITRE ATT&CK: T1021, T1570)

Description of ThreeAM Ransomware

ThreeAM (AKA 3AM) is a ransomware family that first emerged in September 2023. The ransomware was identified when a LockBit affiliate failed to deploy LockBit, so reverted to deploying ThreeAM ransomware instead. Due to the use of the ransomware by an affiliate that appears to be tied to the LockBit ransomware operation, it is likely that ThreeAM exhibits similar TTPs to that of other ransomware groups, including LockBit.

Additionally, threat researchers have assessed that ThreeAM is likely a rebrand of the Royal/BlackSuit Ransomware operation; and connected to one of the core “teams” of the disbanded Conti group.

ThreeAM is written in Rust and operates as a 64-bit executable. The variant has the capability to execute multiple commands that can halt applications, obstruct backup processes, and disable security software. The ransomware appends encrypted files with “.threeamtime.” The group operates in a double extortion method, where victim data is stolen and leaked if the ransom demand is not paid.

One aspect of the ThreeAM variant that set it apart from other variants was the use of the Yugeon Web Clicks script from 2004. It is not known why the group chose an outdated PHP script; however, it is Likely due to the perception that older scripts may not be detected by modern security tools and likely offers straightforward functionality with little to no complexity.

DATE PUBLISHEDDecember 15, 2025
AUTHORBlackpoint Cyber