Threat Group Profile
threeam
β Active β last 30 days
Victim claims
15
First seen
Apr 2026
Last activity
29 Jun 2026
Tracked since
β
Group overview
A new Ransomware family identified by the name '3AM' or 'ThreeAM' in September 2023. The ransomware operation was observed by the Symantec team, in which a ransomware affiliate attempted to deploy another ransomware, LockBit, on the target network and then switched to 3AM when LockBit was reportedly blocked. > > The ransomware operation, according to the publication on its Tor-based website, has been operating since mid-August 2023, according to the publication from its first victim.Source: https://github.com/crocodyli/ThreatActors-TTPs
Preferred targets
Business Services Β· 4
Agriculture and Food Production Β· 2
Technology Β· 2
Manufacturing Β· 1
Healthcare Β· 1
Most targeted countries
MX Β· 2
US Β· 2
AR Β· 2
GB Β· 1
HR Β· 1
VN Β· 1
Tactics & techniques (MITRE ATT&CK)
Persistence
Create Account
Privilege Escalation
Service Execution
Bypass User Account Control
Defense Evasion
Clear Windows Event Logs
Disable or Modify System Firewall Settings
Discovery
Remote System Discovery
Network Share Discovery
Group Policy Discovery
Exfiltration
Exfiltration Over Alternative Protocol
Impact
Data Encrypted for Impact
Inhibit System Recovery