Cyber threat intelligence experts from the French company Intrinsec have just noticed a new modus operandi in the ransomware world. As the company explains in a report spotted by Bleeping computer, a gang of ransomware, ThreeAM, tried to put pressure on one of its victims with an X bot (ex-Twitter).
On August 10, 2023, around 90 similar responses were posted on the social network regarding a data leak affecting an American marketing company based in Wisconsin. The message, addressed to followers of the victim company, included a link to the Tor site that published the stolen data.
“This strategy, which had not yet been reported by the cybersecurity community, probably aims to force victims to pay the ransom or to agree to pay a higher ransom,” judge Intrinsec experts. The company also believes it is certain that a robot was used in this maneuver given the frequency of the messages.
Increase pressure
While using a bot on X could be innovative, cybercriminals have been trying to find ways to increase pressure on their victims for some time. The Tor sites that host stolen data are certainly secure, but ultimately not very popular, with a rather slow download channel.
Cl0p cybercriminals, for example, relied on torrents to publish stolen data, a way of ensuring the rapid dissemination of the data leak. Alphav/BlackCat had for its part made a brazen report to the American financial markets regulator to complain about one of their victims who had not respected the deadline for notifying a computer attack. Finally, the American authorities reported the harassment carried out by Karakurt against his victims, by emails or telephone calls.
Coded in Rust
ThreeAM, also called 3AM because of its ransom note, was spotted by Symantec experts in a note published in mid-September 2023. They then noted a link with LockBit, the most active gang currently. In an observed computer attack, cybercriminals first attempted to deploy this first ransomware before falling back on ThreeAM.
This malicious program is written in Rust, a programming language compatible between different platforms, which makes it possible to target Windows, Apple or Linux computers. It caused at least one victim in France, the company DS Granit. Intrinsec experts say it is likely that ThreeAm’s cybercriminals have links to former members of Conti, the gang that exploded after Russia’s invasion of Ukraine.