3AM Ransomware Exploits Spoofed IT Communications and Email Bombing Techniques to Compromise Network Security

A recent investigation has unveiled the tactics employed by the 3AM ransomware affiliates, who are executing highly targeted attacks by leveraging email bombardment and spoofed IT support calls. This method of social engineering aims to manipulate employees into divulging credentials that facilitate unauthorized access to corporate networks.

This approach, which has previously been associated with the Black Basta ransomware group and more recently observed in FIN7 attacks, has seen a surge in use due to its effectiveness. Reports indicate that Sophos has documented at least 55 incidents involving this strategy between November 2024 and January 2025, linked to two separate threat clusters.

The attacks closely followed the BlackBasta operational playbook, employing techniques such as email bombing, voice phishing via Microsoft Teams, and the exploitation of Quick Assist. Notably, the leak of internal communications from Black Basta provided a template for subsequent attacks, aiding other threat actors in refining their methods.

In early 2025, a notable attack targeting a Sophos client showcased a variant of these tactics, incorporating authentic phone phishing alongside email bombing. During the assault, victims received 24 unsolicited emails within a three-minute window, which were designed to overwhelm and distract them.

The perpetrators impersonated the organization’s IT department by spoofing their phone number, convincing an employee to access Microsoft Quick Assist and grant remote access under the pretext of investigating alleged malicious activity. Following this, the attackers orchestrated a malicious download from a spoofed domain, which contained a VBS script, a QEMU emulator, and a Windows 7 image embedded with the QDoor backdoor.

QEMU was strategically employed to evade detection by tunneling network traffic through virtual machines, thereby permitting continuous, undetected ingress into the compromised network. Through these means, the attackers conducted reconnaissance utilizing Windows Management Instrumentation Command-line (WMIC) and PowerShell. They established a local administrator account for remote desktop protocol (RDP) access, implemented the commercial remote monitoring and management tool XEOXRemote, and compromised a domain administrator account.

Although Sophos’ protective measures successfully obstructed lateral movement and attempts to deactivate defenses, the attackers managed to exfiltrate approximately 868 GB of sensitive data to Backblaze cloud storage using the GoodSync tool. Subsequent efforts to deploy the 3AM ransomware encryptor were thwarted, limiting damage mainly to data theft alongside encryption affecting the compromised host.

The entire incident unfolded over nine days, with the primary data theft completed by the third day. Following this, the attackers were successfully prevented from extending their reach.

To bolster defenses against such attacks, Sophos recommends several proactive measures, including auditing administrative accounts for vulnerabilities, employing Extended Detection and Response (XDR) solutions to block unauthorized legitimate tools like QEMU and GoodSync, and implementing PowerShell execution policies that enforce the use of signed scripts exclusively.

Furthermore, utilizing available indicators of compromise (IOCs) to establish blocklists can significantly reduce the risk of intrusion from known malicious entities. Ultimately, raising employee awareness around email bombing and voice phishing tactics is critical for effectively mitigating these threats.

The 3AM ransomware operation, which initiated activities in late 2023, has been connected to prominent cybercrime groups including Conti and Royal, thereby emphasizing the ongoing and evolving threat landscape within information security.