A 3AM ransomware affiliate is leveraging spoofed IT support calls and email bombing attacks to compromise corporate networks through credential theft and social engineering. This increasingly popular tactic mimics prior methods used by the Black Basta and FIN7 ransomware groups and is now seeing broader adoption due to its effectiveness.
According to a new report by Sophos, at least 55 attacks using this ransomware attack tactic were observed between November 2024 and January 2025, indicating a growing operational tempo. The researchers attributed the activity to two separate threat actor clusters, both employing the same method to breach networks.
The attack lifecycle lasted approximately nine days, with data exfiltration typically completed by the third day. After that, the attackers were generally detected and blocked from escalating privileges or lateral movement.
The 3AM ransomware group, first seen in late 2023, has known ties to the Conti ransomware and Royal ransomware families—both notorious for their Ransomware-as-a-Service (RaaS) infrastructure and operational sophistication.
Social Engineering: Voice Phishing Meets Email Bombing
The attack chain begins with email bombing—an overwhelming flood of irrelevant emails that drowns out legitimate security alerts. Simultaneously, the attackers initiate spoofed phone calls, posing as internal IT support personnel to convince employees to share remote access credentials. Once credentials are in hand, the group initiates unauthorized access to corporate systems for data theft and ransom deployment.
These social engineering attacks are particularly dangerous because they bypass technical controls by exploiting human trust, making them difficult to detect with traditional defenses.
Mitigation Recommendations
Sophos recommends several proactive defenses to mitigate these ransomware attack tactics:
- Audit administrative accounts for poor security hygiene and remove unused accounts.
- Use Extended Detection and Response (XDR) tools to block misuse of legitimate programs like QEMU and GoodSync.
- Enforce PowerShell execution policies to only allow signed scripts.
- Implement blocklists using IOCs (indicators of compromise) linked to these threat actors.
Additionally, security awareness training is crucial. Preventing voice phishing and socially engineered ransomware attacks ultimately depends on employee vigilance and the ability to recognize suspicious communications.
As the 3AM ransomware operation expands, enterprises must strengthen both their technical controls and user education to resist these deceptive and evolving threats.
