Threat Actor Profile
Medium
Cybercriminal
Description
A new Ransomware family identified by the name '3AM' or 'ThreeAM' in September 2023. The ransomware operation was observed by the Symantec team, in which a ransomware affiliate attempted to deploy another ransomware, LockBit, on the target network and then switched to 3AM when LockBit was reportedly blocked. > > The ransomware operation, according to the publication on its Tor-based website, has been operating since mid-August 2023, according to the publication from its first victim. Source: https://github.com/crocodyli/ThreatActors-TTPs
Confidence Score
Known Aliases
3Am
Tags
ransomware
ransomware.live
3Am
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (11)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': "A new Ransomware family identified by the name '3AM' or "
"'ThreeAM' in September 2023. The ransomware operation was "
'observed by the Symantec team, in which a ransomware '
'affiliate attempted to deploy another ransomware, LockBit, on '
'the target network and then switched to 3AM when LockBit was '
'reportedly blocked.<BR> \n'
'> <BR> \n'
'> The ransomware operation, according to the publication on '
'its Tor-based website, has been operating since mid-August '
'2023, according to the publication from its first '
'victim.<BR>Source: '
'https://github.com/crocodyli/ThreatActors-TTPs',
'firstseen': '2023-08-04T00:00:00+00:00',
'group': 'threeam',
'has_negotiations': False,
'has_ransomnote': False,
'lastseen': '2025-05-25T18:49:42.578716+00:00',
'locations': [{'available': True,
'fqdn': 'threeam7fj33rv5twe5ll7gcrp3kkyyt6ez5stssixnuwh4v3csxdwqd.onion',
'slug': 'http://threeam7fj33rv5twe5ll7gcrp3kkyyt6ez5stssixnuwh4v3csxdwqd.onion/recovery',
'title': 'Enter the key',
'type': 'Chat'},
{'available': True,
'fqdn': 'threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion',
'slug': 'http://threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion/show-posts',
'title': 'Verify',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 0,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': False,
'locations': [{'available': True,
'fqdn': 'threeam7fj33rv5twe5ll7gcrp3kkyyt6ez5stssixnuwh4v3csxdwqd.onion',
'slug': 'http://threeam7fj33rv5twe5ll7gcrp3kkyyt6ez5stssixnuwh4v3csxdwqd.onion/recovery',
'title': 'Enter the key',
'type': 'Chat'},
{'available': True,
'fqdn': 'threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion',
'slug': 'http://threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion/show-posts',
'title': 'Verify',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 0,
'ransomware_live_group': 'threeam',
'tools': {},
'url': 'https://www.ransomware.live/group/threeam',
'victims': 64,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {},
'ttps': [{'tactic_id': 'TA0003',
'tactic_name': 'Persistence',
'techniques': [{'technique_details': 'The threat actor using the '
'3AM ransomware performed '
'account creation to ensure '
'persistence.',
'technique_id': 'T1136',
'technique_name': 'Create Account'}]},
{'tactic_id': 'TA0004',
'tactic_name': 'Privilege Escalation',
'techniques': [{'technique_details': 'The threat actor may use '
'Cobalt Strike for a series of '
'known techniques to bypass '
'Windows UAC.',
'technique_id': 'T1548.002',
'technique_name': 'Bypass User Account Control'},
{'technique_details': 'The threat actor used PsExec '
'to take advantage of a '
'Windows service to escalate '
'from administrator privileges '
'to SYSTEM.',
'technique_id': 'T1543.003',
'technique_name': 'Service Execution'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'The threat actor uses '
'commands to set the discovery '
'policy of other hosts on the '
'network, altering the '
'Firewall policy.',
'technique_id': 'T1562.004',
'technique_name': 'Disable or Modify System '
'Firewall Settings'},
{'technique_details': 'The executable clears Windows '
'event logs after its '
'execution.',
'technique_id': 'T1070.001',
'technique_name': 'Clear Windows Event Logs'}]},
{'tactic_id': 'TA0007',
'tactic_name': 'Discovery',
'techniques': [{'technique_details': 'The threat actor executed '
'reconnaissance commands like '
"'whoami, netstat, quser, net "
"view, and net share' to "
'enumerate other servers.',
'technique_id': 'T1135',
'technique_name': 'Network Share Discovery'},
{'technique_details': 'The threat actor used '
"commands like 'gpresult' to "
'dump applied policy settings '
'on the computer for a user '
'(Group Policy).',
'technique_id': 'T1615',
'technique_name': 'Group Policy Discovery'},
{'technique_details': 'Utilizes Advanced IP Scanner '
'and MASSCAN to discover '
'remote systems.',
'technique_id': 'T1018',
'technique_name': 'Remote System Discovery'}]},
{'tactic_id': 'TA0010',
'tactic_name': 'Exfiltration',
'techniques': [{'technique_details': 'The threat actor used the '
"'Wput' tool to exfiltrate "
'files from the victim to '
'their own server via FTP.',
'technique_id': 'T1048',
'technique_name': 'Exfiltration Over Alternative '
'Protocol'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'The 3AM ransomware deletes '
'volume shadow copies on the '
'disk and backups through the '
'commands presented in the '
'analysis.',
'technique_id': 'T1490',
'technique_name': 'Inhibit System Recovery'},
{'technique_details': 'The ransomware encrypts files '
'and appends the '
"'.threeamtime' extension "
'after encryption.',
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'}]}],
'url': 'https://www.ransomware.live/group/threeam',
'victims': 64,
'vulnerabilities': []}