3AM Ransomware Gang Hacks Networks With Spoofed IT Calls And Email Bombing
A recent campaign by 3AM ransomware actors found the team using more proactive techniques rather than simple opportunistic hacks by pretending to be IT support. Using a combination of email bombing and spoof IT support calls, unwitting employees dropped their guards, giving the attackers access to their terminals (and thus, corporate systems). From there, the actors were free to deploy whatever nefarious payload they desired.
Sophos, a leading cybersecurity firm, has been closely tracking multiple ransomware actors utilizing a playbook first observed by Microsoft in May 2024. This strategy initially involves email bombing—overwhelming a target with unwanted emails—followed by a voice or video call, often through Microsoft Teams, where attackers pose as tech support to gain remote access. Sophos has documented over 55 attempted attacks using this technique in the first quarter of 2025 alone.
A recent incident involving the 3AM ransomware group showcased this familiar technique. In this particular attack, the criminals spoofed the victim organization's IT department phone number, adding a layer of authenticity to their deception. The initial breach was achieved by convincing an employee, amidst a barrage of spam emails, to grant remote access via Microsoft Quick Assist. This Windows tool, installed by default on many systems, was used to redirect the victim to a fake Microsoft domain, which then delivered a Google Drive link containing a malicious archive.
The true innovation in this attack, however, lay in what the attackers deployed next: a pre-configured Windows 7 virtual machine, launched via the Qemu emulator, directly onto the compromised computer. This virtual machine, running a QDoor trojan, served as a hidden foothold, allowing the attackers to establish command and control while largely evading network protection software. This time 3AM actors were able to remain undetected on the network for a staggering nine days, as they gathered approximately 868GB of data to cloud storage before attempting to launch their ransomware.
Further investigation by Sophos revealed that the 3AM ransomware group is a rebranding of BlackSuit/Royal ransomware, with ties to the notorious Conti group. Leaked BlackBasta chat logs even show discussions of the vishing scripts and techniques used in these attacks, indicating a shared, evolving playbook among these criminal syndicates.
While the ransomware attack itself was largely thwarted by the targeted organization's Sophos network defenses (despite the attackers' attempts to disable MFA and endpoint protection itself), these cases stress the need for proactive cybersecurity measures. Organizations need to conduct more employee awareness training to combat vishing attacks, educating staff on legitimate IT contact procedures and remote support tools. More thorough audits of accounts policies and procedures, as well as strengthening remote access controls should be prioritized, too.
Sophos, a leading cybersecurity firm, has been closely tracking multiple ransomware actors utilizing a playbook first observed by Microsoft in May 2024. This strategy initially involves email bombing—overwhelming a target with unwanted emails—followed by a voice or video call, often through Microsoft Teams, where attackers pose as tech support to gain remote access. Sophos has documented over 55 attempted attacks using this technique in the first quarter of 2025 alone.
A recent incident involving the 3AM ransomware group showcased this familiar technique. In this particular attack, the criminals spoofed the victim organization's IT department phone number, adding a layer of authenticity to their deception. The initial breach was achieved by convincing an employee, amidst a barrage of spam emails, to grant remote access via Microsoft Quick Assist. This Windows tool, installed by default on many systems, was used to redirect the victim to a fake Microsoft domain, which then delivered a Google Drive link containing a malicious archive.
The true innovation in this attack, however, lay in what the attackers deployed next: a pre-configured Windows 7 virtual machine, launched via the Qemu emulator, directly onto the compromised computer. This virtual machine, running a QDoor trojan, served as a hidden foothold, allowing the attackers to establish command and control while largely evading network protection software. This time 3AM actors were able to remain undetected on the network for a staggering nine days, as they gathered approximately 868GB of data to cloud storage before attempting to launch their ransomware.
Further investigation by Sophos revealed that the 3AM ransomware group is a rebranding of BlackSuit/Royal ransomware, with ties to the notorious Conti group. Leaked BlackBasta chat logs even show discussions of the vishing scripts and techniques used in these attacks, indicating a shared, evolving playbook among these criminal syndicates.
While the ransomware attack itself was largely thwarted by the targeted organization's Sophos network defenses (despite the attackers' attempts to disable MFA and endpoint protection itself), these cases stress the need for proactive cybersecurity measures. Organizations need to conduct more employee awareness training to combat vishing attacks, educating staff on legitimate IT contact procedures and remote support tools. More thorough audits of accounts policies and procedures, as well as strengthening remote access controls should be prioritized, too.
