January 20, 2024 at 10:16AM
The 3AM ransomware operation is found to have connections with infamous groups like the Conti syndicate and the Royal ransomware gang. They are using new tactics such as sharing data leaks with victims’ social media followers and using bots to reply to high-ranking accounts on X. 3AM also tested a new extortion technique on Twitter. The Conti syndicate, once the largest and most aggressive ransomware operation, has dissolved but former members and affiliates have partnered with other operations like Royal ransomware.
Based on the meeting notes provided, here are the key takeaways:
1. 3AM Ransomware Operation:
– Connection with Conti Syndicate and Royal Ransomware Gang: Security researchers identified close connections with the Conti syndicate and the Royal ransomware gang in the activities of the 3AM ransomware operation.
– Adoption of New Extortion Tactic: 3AM has been observed experimenting with a new extortion tactic, involving sharing news of a data leak with the victim’s social media followers and using bots to reply to high-ranking accounts on X (formerly Twitter) with messages pointing to data leaks.
2. Link to Conti Syndicate:
– Strengthened Connection with Conti: Investigations by French cybersecurity company Intrinsec revealed a significant overlap in communication channels, infrastructure, and tactics between 3AM and the Conti syndicate.
– Infrastructure and Malware Connections: The findings link 3AM to specific IP addresses associated with certain malware, as well as to a hosting company known to have hosted malware.
3. Twitter Bot Strategy:
– Employment of Automated Replies: 3AM likely deployed a Twitter bot to automatically reply to tweets from a U.S. company, spreading news of the attack and data leak to damage the victim’s reputation. The bot was found to increase the volume and frequency of replies, indicating a coordinated effort.
4. Conti Syndicate Background:
– Conti Syndicate Activities: The Conti cybercrime syndicate was a major ransomware operation until its dissolution following a data breach known as Conti Leaks. Its members and affiliates later partnered with other ransomware operations, such as Royal ransomware.
Overall, the meeting notes reveal the evolving tactics of the 3AM ransomware operation, strong connections to the Conti syndicate, and ongoing threat to organizations, particularly through social media manipulation. These key takeaways provide a comprehensive understanding of the security threats posed by the 3AM ransomware operation and its affiliations.