ThreeAM Ransomware

Under attack by ransomware or suffering a cyber breach?

Speed is critical when facing a live cyber attack. If you believe you’ve been compromised, by the ThreeAM ransomware group or another threat actor - contact us immediately.

Under attack? Call us
Get in touch

About ThreeAM ransomware group

Emerging in mid-2023, ThreeAM is a relatively new but notable ransomware strain that has attracted attention due to its unique use of the Rust programming language and its targeted, manual deployment techniques. This threat group is known for leveraging remote access methods to infiltrate networks before executing their ransomware attacks.

An infection with ThreeAM results in the encryption of systems and critical files, with victims receiving a ransom note, as shown here, demanding cryptocurrency payment in exchange for decryption keys.

What we can help with:

  • Encrypted files & ransomware data recovery
  • Incident response and containment
  • Secure data restoration and system recovery
  • Use of ransomware decryption tools and data recovery software
  • Development of incident response plans and disaster recovery solutions
  • Post-incident reviews and security hardening

Request a call back

If your organisation has been infected with ransomware contact us immediately.

How ThreeAM operators work

ThreeAM (also stylised as 3AM) is a rare and emerging ransomware variant first identified in 2023. Unlike many mainstream ransomware operations, ThreeAM appears to be deployed as a backup payload, typically when primary ransomware (such as LockBit) is detected and blocked. 

Written in Rust, a modern programming language that offers increased speed and stealth, ThreeAM can be compiled for multiple operating systems. This makes it more difficult for traditional security software to detect and analyse.

The threat group behind ThreeAM uses a hands-on approach, manually deploying the ransomware after gaining remote access through techniques such as phishing, RDP compromise, or exploiting unpatched vulnerabilities. Communication during the attack may even involve a voice or video call to negotiate ransom demands or provide instructions. Once inside the network, they attempt to exfiltrate sensitive data before launching encryption of critical files, following a typical double extortion model.

According to a principal threat researcher, ThreeAM’s combination of stealthy deployment, manual execution, and the use of encrypted files for ransom makes it a particularly challenging threat to defend against.

We are equipped to deal with an attack from any ransomware group.

Don’t hesitate to contact us if you are under attack from a ransomware group not listed above. 

Under attack? Call us

Recognising a ThreeAM attack

ThreeAM is deployed manually, often during late-night hours (hence the name), once attackers have already obtained administrative access to the target environment. The attackers typically gain control of user accounts with elevated privileges or compromise virtual machines to move laterally within the network. Victims may also notice unwanted emails suddenly disrupting normal operations as part of the attack’s initial phase. The ransomware then encrypts files with the .threeamtime extension and leaves behind a note outlining payment demands and threatening data exposure.

Before launching encryption, ThreeAM has been observed attempting to terminate various security and backup services, including deleting volume shadow copies, to avoid detection and recovery. This allows the attackers to bypass traditional security tools and make restoration more difficult. The group often focuses on the primary targeted employee’s credentials to gain deeper access and maximise impact.

Why you must not interfere with your ransomware environment

If you discover a physical break-in at your offices, your first instinct would be to call the police; touch nothing and let them search for clues. Then, your focus would shift to restoring business operations.

A cyber-attack requires the same approach. Your digital environment is a CRIME SCENE. It is crucial to leave the environment untouched to allow for a forensic investigation.

This is not a task for your IT team or MSP. Digital Forensic specialists are available 24/7 to assist you, just like in a physical crime.

description Sector Date Discovered Attack Date Country Screenshot
Our team at KKP stands for competent, creative and personal solutions. We are highly motivated, client-oriented and efficient. Our lawyers are specialists in their field of expertise and work independently and reliably with a high degree of busine Business Services 25/05/2025 07:01 PM 06/02/2025 07:00 PM US View' rel='' target='_self'>View
Founded in 2007. Industrial Service Solutions is headquartered in Houston, Texas. Industrial Service Solutions processes equipment across a set of industrial markets and servicing and inspections. Business Services 25/05/2025 07:00 PM 18/02/2025 06:59 PM US View' rel='' target='_self'>View
Interstate Commercial Glass and Door, Inc. is a glass and glazing subcontractor serving primarily Northwest Ohio and Southeast Michigan, specializing in new builds and renovations for schools, hospitals, and office buildings. With over 18 years of Not Found 25/05/2025 06:58 PM 21/02/2025 12:00 AM US View' rel='' target='_self'>View
Desert Behavioral Health (DBH) was founded in 2009 based on the Bio-Psycho-Social integrated mental health services model. In the past years, DBH has provided outpatients mental health services for thousands of clients in Southern Nevada. Desert Healthcare 25/05/2025 06:56 PM 19/03/2025 06:55 PM US View' rel='' target='_self'>View
TICM specializes in designing and building control panels. That is our focus and our expertise. This allows us to meet deadlines, provide competitive pricing, and provide panels that truly meet the needs of the customer. We understand what is invo Technology 25/05/2025 06:55 PM 06/02/2025 12:00 AM US View' rel='' target='_self'>View
J.A. Street & Associates is one of the most respected General Contracting firms in Northeast Tennessee and Southwest Virginia. The company has grown over the years by providing our clients with the best fully-integrated service available and have Not Found 25/05/2025 06:53 PM 03/03/2024 12:10 PM US View' rel='' target='_self'>View
Neffendorf & Blocker, PC is a full-service, licensed accounting firm operating in the Texas Hill Country. We bring personal attention and care to our work with each of our clients. We value your privacy very highly. Please read this Privacy Policy Financial Services 25/05/2025 06:52 PM 18/02/2025 12:00 AM US View' rel='' target='_self'>View
SVT specializes in designing, engineering, commissioning, and servicing turn-key commercial audio/video systems including IT, audio/video distribution, digital signage, surveillance & security, broadcasting and a host of other technology systems. Entertainment 25/05/2025 06:50 PM 25/05/2025 06:49 PM US View' rel='' target='_self'>View
Vaziri Law Group has the expertise, dedication and experience combines extensive experience, deep knowledge of the law and dedication to protecting the rights of accident victims to get you justice. Whether you were the victim of a personal injury Business Services 25/05/2025 06:49 PM 20/05/2025 12:00 AM US -
Leonardo is a global aerospace, defense, and security company providing helicopters, security electronics, aeronautics, and space defense systems. The company was founded in 1948 and is headquartered in Rome, Italy. Technology 13/02/2025 05:33 PM 15/01/2025 12:00 AM IT -
SEHMA is a Home Health Care provider network specializing in Home Health Nursing, Hi Tech Infusion, Durable Medical Equipment and Diagnostic Services. SEHMA companies provide an impeccable continuity of care with excellent patient outcomes. SEHMA... Not Found 11/02/2025 10:39 AM 01/02/2025 12:00 AM DE -
Founded in 2010 and headquartered in Vancouver, Washington, Core Health and Fitness is a privately-held marketer and distributor of commercial fitness solutions to health clubs, community recreational centers, hotels, and educational facilities. Consumer Services 05/02/2025 09:28 PM 05/02/2025 09:28 PM US -
Soitin Laine - Luotettavaa soitinkauppaa jo vuodesta 1931 Meiltä löydät kaikki tarvittavat soittimet, nuotit, tarvikkeet sekä äänen taltioimiseen tarvittavat laitteet. Osta verkosta tai tule asioimaan myymäläämme Turkuun tai Helsinkiin. Not Found 30/01/2025 12:03 PM 30/01/2025 12:03 PM FI -
Our district is comprised of Vergennes Union Elementary School (K-6), Ferrisburgh Central School (K-6), Addison Central School (K-6) and Vergennes Union High School (7-12). We are conveniently located between Burlington and Middlebury communities... Not Found 15/01/2025 10:09 AM 15/01/2025 10:09 AM US -
The clinic of a Schulstrasse family doctor who apparently doesn't care about his patients. Not Found 09/01/2025 01:02 PM 27/11/2024 12:00 AM DE -
Kurita America Inc. (KAI) was established in 1996 as the US subsidiary of KURITA WATER INDUSTRIES LTD. of Tokyo, Japan. KAI provides complete turn-key systems, maintenance services, and water treatment chemicals capable of meeting the needs of... Manufacturing 17/12/2024 04:43 PM 29/11/2024 12:00 AM JP -
City of Hoboken Government 04/12/2024 02:52 PM 04/12/2024 02:52 PM US -
Mid-States Industrial, Incorporated was founded in 1992 with the objective of providing quality tank repair paired with specialized in-house engineering services. For over 30 years, Mid-States has provided industrial maintenance, repair, and new... Manufacturing 13/11/2024 11:52 AM 13/11/2024 11:52 AM US -
ANU Enterprise works behind the scenes to maximise the impact of research findings of the Australian National University, on the world. We enable researchers to generate and deliver consulting, contract research and executive education... Business Services 31/10/2024 01:32 PM 28/09/2024 12:00 AM AU -
In-Home Attendant Services partners with individuals of every age and disability to assist them with living a more independent lifestyle. With either the CDS or Agency option, you have choices that help you take charge of who comes into your... Healthcare 31/10/2024 01:30 PM 31/10/2024 01:30 PM US -
Desde o início do século XXI, a Caillau tem oferecido ao mercado a síntese perfeita das palavras “Historical Expertise”, além das recentes mudanças implementadas com sucesso, tanto na entrada de novos acionistas como nas áreas... Manufacturing 31/10/2024 01:28 PM 08/10/2024 12:00 AM BR -
Sandray Precision Grinding Inc is located in Rockford, Illinois and has served the Midwest region for 50 years of grinding experience. Sandray Precision Grinding Inc operates in 2 buildings with 34,000 square feet and has a wide variety of... Not Found 31/10/2024 01:26 PM 10/10/2024 12:00 AM US -
Our team succeeds in providing an affordable and reliable redemption service for all promotional needs. Our services are designed especially for new coupon users and small to mid-size consumer product companies. Our business model and service... Business Services 31/10/2024 01:24 PM 24/10/2024 12:00 AM AU -
We are here for you whenever you need us, for however long you need us. At Freedom Home Care and Medical Staffing, we never lose sight of the details and focus on the customer service our clients have come to expect. Since our founding in 1997,... Healthcare 31/10/2024 01:21 PM 19/10/2024 12:00 AM US -
Welcome to Carolina Arthritis Since its founding in 1991, Carolina Arthritis has been leading the way in the diagnosis and treatment of arthritis, musculoskeletal disorders, connective tissue diseases, autoimmune illnesses and osteoporosis. At... Healthcare 24/10/2024 02:15 PM 24/10/2024 02:15 PM US -
The Oklahoma Sleep Institute, founded in 2003, is dedicated to providing the highest quality sleep medicine to the community. We are a comprehensive Sleep Disorder Clinic staffed by Advanced Registered Nurse Practitioners and a Board Certified... Healthcare 10/10/2024 07:03 PM 10/10/2024 07:03 PM US -
William Vere & Sons was founded in 1912 by the great-grandfather of Richard Vere, our current Managing Director was a craftsman Chair Maker who made Windsor chairs. This classic wood chair was the staple product of the area, due to the abundant... Manufacturing 30/09/2024 07:49 PM 30/09/2024 07:49 PM GB -
The Carlile Group is a collective of experts committed to advancing the science of buildings. We collaborate to assist owners in creating, enhancing, and maintaining our built environment. Transportation/Logistics 30/09/2024 05:50 PM 30/09/2024 05:50 PM GB -
Sacred Heart Catholic School is a vibrant and dynamic school with high expectations and great ambitions for every one of our pupils. We believe that discipline, structure and common purpose are solid foundations for success in life and... Education 30/09/2024 05:48 PM 18/06/2024 12:00 AM GB -
mctas.org.au (respect.com.au) Providing better living in Australia for over a century As a proud not for profit organisation since 1922, Respect serves the senior community through our high standard of care and community. Our name may have... Healthcare 30/09/2024 05:46 PM 06/06/2024 12:00 AM AU -
Manufacturing Network Pte Ltd (“MNPL”) was established in November 2000 in Singapore. Our main business includes the stocking, distribution and cutting of aluminium alloy plates, sheets and extrusion bars and profiles. Transportation/Logistics 30/09/2024 05:44 PM 25/07/2024 12:00 AM SG -
Desde 1985 aportando soluciones globales para la agricultura de alto rendimiento. El GRUPO GESTIRIEGO está formado por una amplia red internacional de delegaciones y distribuidoras extendidas por todo el mundo, con sede central en España. Nuestra... Agriculture and Food Production 18/09/2024 12:12 PM 26/08/2024 12:00 AM ES -
We are located in Amityville, Long Island, New York and are fully accredited by The Joint Commission and licensed by the New York State Office of Mental Health. We offer a state of the art program that focuses on the treatment of acute mental... Healthcare 12/09/2024 06:10 PM 12/09/2024 06:10 PM US -
Thermal Solutions LLC is also a proud family-owned and operated HVAC-R business. Our heating and AC repairs include new equipment installations if needed. We help by walking you through all of the issues faced with your equipment and give you... Manufacturing 16/05/2024 04:42 AM 16/05/2024 04:42 AM US View' rel='' target='_self'>View
Somos a maior empresa em sistemas e soluções para cartórios extrajudiciais. Atuamos no desenvolvimento de softwares e soluções inovadoras para a gestão de cartórios extrajudiciais, tabelionato de notas, tabelionato de protestos, ofício de... Technology 16/05/2024 04:40 AM 16/05/2024 04:40 AM BR View' rel='' target='_self'>View
Compagnie de Phalsbourg is a real estate development, investment and management company. Founded in 1989, it ranks among the leaders of the French retail real estate market. Compagnie de Phalsbourg develops... Business Services 15/04/2024 07:34 AM 21/03/2024 12:00 AM FR View' rel='' target='_self'>View
Founded in 1966, Kootenai Health is a hospital that provides patient care services for people in Idaho, Montana, and Eastern Washington. They are based in Coeur d'Alene, Idaho. ... Healthcare 25/03/2024 11:47 AM 25/03/2024 11:47 AM US View' rel='' target='_self'>View
Moore & Tibbits is a well respected law firm, with more than 188 years of legal service in the centre of Warwick. Our reputation is based on a reliable, flexible, personal, first class service combined with the use of modern technology which... Business Services 27/02/2024 12:56 PM 27/02/2024 12:56 PM GB View' rel='' target='_self'>View
As an Airbus Robotics Company, MTM Robotics is a trusted global provider of high-quality automation systems, software systems, and engineering services for the aerospace and aircraft manufacturing industries. Technology 22/02/2024 02:42 PM 14/11/2023 12:00 AM US View' rel='' target='_self'>View
Preston General Engineering (PGE), a division of ABCOR Pty Ltd, is the industry leader in the fabrication and assembly of metal, aluminium and stainless steel parts. PGE has a strong commitment of service to provide quality products that are... Business Services 22/02/2024 02:41 PM 22/02/2024 02:41 PM AU View' rel='' target='_self'>View
From luxury apartments and exclusive active adult housing to affordable, moderate family living, Doneff Companies LLC has built and manages more than 1,056 apartment homes across central and eastern Wisconsin. Agriculture and Food Production 21/02/2024 12:44 PM 21/02/2024 12:44 PM US View' rel='' target='_self'>View
For over 60 years, Garon Products, Inc. has defined what it means to be a trusted concrete coating supplier. Our top-quality concrete floor repair products and floor coatings meet the demands of even the most challenging industrial,... Manufacturing 12/02/2024 10:29 PM 12/02/2024 10:29 PM US View' rel='' target='_self'>View
Somos una empresa 100% mexicana dedicada a la implementación de soluciones de infraestructura y seguridad en procesos de operación crítica. Nuestro equipo está formado por profesionales, especialistas y tecnicos certificados para ofrecer... Business Services 01/02/2024 11:04 PM 01/02/2024 11:04 PM MX View' rel='' target='_self'>View
CSI is a product lifecycle management company based in Scarborough, Ontario. CSI is ISO 9001:2015 + TL 9000 - V R6.0/ R5.5 Certified. CSI specializes in Smart City technology, IoT and have a state-of-the-art data storage facility in... Business Services 12/01/2024 07:27 PM 12/01/2024 07:27 PM CA View' rel='' target='_self'>View
Headquartered in McAdenville, North Carolina, Pharr Yarns is one of the most diversified sales yarn manufacturers in the world. We serve our diversified global customer base from offices across the United States and Europe. Our US operations... Manufacturing 12/01/2024 07:26 PM 12/01/2024 07:26 PM US View' rel='' target='_self'>View
Woodruff Enterprises Inc. is a rapidly growing company with roots in farming and agriculture. It was by the request of our loyal customers that we began hauling livestock with a pickup truck and a gooseneck trailer... 12/12/2023 05:42 PM 12/12/2023 05:42 PM View' rel='' target='_self'>View
Share & Harris LLC is a company that operates in the Accounting industry. It employs 11-20 people and has $1M-$5M of revenue. The company is headquartered in East Brunswick, New Jersey, 08816, United States 12/12/2023 05:42 PM 12/12/2023 05:42 PM US View' rel='' target='_self'>View
Syr-Tech manufactures custom perforated metal as well as roll formed metal shapes to your exact specifications. With hundreds of stock perforated metal patterns as well as a huge assortment of standard roll formed tooling, chances are we... 06/12/2023 08:57 AM 06/12/2023 08:57 AM View' rel='' target='_self'>View
We typically serve two types of customers: national powerhouses looking for mass-produced, brand-consistent signage and local business owners seeking custom builds. While both have very different goals, one thing remains... 05/12/2023 04:11 PM 05/12/2023 04:11 PM View' rel='' target='_self'>View
FOUR LOCATIONS. ONE FIRM. As a boutique law firm, specializing in estate planning, trust and estate administration, and elder law, we are dedicated to serving all our clients with a high level of quality, effort, and creativity. Pulling... 27/11/2023 04:23 PM 27/11/2023 04:23 PM View' rel='' target='_self'>View
DS GRANIT vous conseille et vous accompagne de A à Z dans vos projets les plus ambitieux. Notre connaissance de ce domaine nous permet de vous proposer des produits en adéquation avec votre mobilier, avec une prestation de qualité. ... 22/11/2023 07:26 AM 22/11/2023 07:26 AM FR View' rel='' target='_self'>View
Neal Brothers are a fundamental member representing the UK, Romania and Charleston USA. INPRO Export Services Ltd, is an organisation registered in England as a Consortium of Independent Export Packing and Transportation... 18/11/2023 11:07 AM 18/11/2023 11:07 AM RO View' rel='' target='_self'>View
Maniland Ltd is an active company incorporated on 5 March 2019 with the registered office located in Wembley, Greater London. Maniland Ltd has been running for 4 years. Classification: Buying and selling of own real estate (68100) Letting and... 26/10/2023 07:54 PM 26/10/2023 07:54 PM GB View' rel='' target='_self'>View
ClaimTek’s Professional Medical & Dental Billing Software Offers Advanced Features, Versatility And Flexibility. When you work with ClaimTek, you are working directly with the software developer. ClaimTek offers a professional suite of modern... 26/10/2023 12:21 PM 26/10/2023 12:21 PM View' rel='' target='_self'>View
Simmons Equipment Company was honored to again be an exhibitor at the 2013 Bluefield Coal Show. With 240 exhibitors, and an estimated 5,000 visitors during the three-day show, the Bluefield show continues to be one of the nation's top regional... 28/09/2023 01:18 PM 28/09/2023 01:18 PM View' rel='' target='_self'>View
Hacienda Zorita Wine Hotel & Spa, situado en Salamanca, es un icono en de la historia. Podemos decir que fuimos partícipes de uno de los acontecimientos históricos más decisivos: El Descubrimiento de América. 22/09/2023 01:17 PM 22/09/2023 01:17 PM View' rel='' target='_self'>View
Fi-Tech is “your global connection” to the leading manufacturers of complete machines or technical components used in the production of Polymer, Synthetic Fibers, Nonwovens, Textiles, Converting, Perforated Products or in Tobacco Processing. ... 22/09/2023 01:16 PM 22/09/2023 01:16 PM View' rel='' target='_self'>View
1 in 4 people in the world will be affected by mental or neurological disorders at some point in their lives. Roughly every family will have at least one afflicted person in the home. The wellbeing of those suffering from these disorders is... 22/09/2023 11:44 AM 22/09/2023 11:44 AM View' rel='' target='_self'>View
The WD Group comprises of Three Main Business handling with mining, civil construction and transportation.Its history can be traced back when Wawasan Dengkil Sdn Bhd began its operations in year 2007 with its... 14/09/2023 09:33 PM 24/08/2023 12:00 AM MY View' rel='' target='_self'>View
Since 2003, PVB Fabrications, Inc. (PVB) has provided quality welding and fabrication services while steadily developing into a direct-hire, multi-disciplined general contractor. PVB has the technical ability to... 14/09/2023 09:33 PM 29/08/2023 12:00 AM US View' rel='' target='_self'>View
Specializing in Beverage Re-Packing and Fulfillment for just about anything Start increasing your production with our fully automated variety packaging services. We have the bandwidth to quickly... 14/09/2023 09:32 PM 04/08/2023 12:00 AM US View' rel='' target='_self'>View
What started out as a hobby in the kitchen summer of 2016 turned into a full time passion for growing nutrient dense foods. We’re now partnered with restaurants, hotels, and country clubs throughout the Houston and College Station/Bryan Texas... 14/09/2023 09:32 PM 22/08/2023 12:00 AM US View' rel='' target='_self'>View
We are a North Texas based physician group committed to making healthcare more accessible for those individuals who are unable or have difficulty leaving their home to receive medical treatment. Visiting Physician's Network... 14/09/2023 09:31 PM 04/09/2023 12:00 AM US View' rel='' target='_self'>View
Since 1989, Clearwater Landscape & Nursery has been a renowned leader in luxury landscaping and outdoor-living space construction throughout our region. We are proud to serve homeowners, developers... 14/09/2023 09:31 PM 12/09/2023 12:00 AM US View' rel='' target='_self'>View
Known threat actors

Ransomware groups behind the attacks

Below is a breakdown of the most active ransomware groups and the variants driving their attacks.

Post breach actions

  • Call a NCSC Cyber Incident Response approved supplier Some NCSC providers will fund up to 48 hours of investigation into your incident.
  • Report the incident to Report Fraud
  • Locate your business continuity plan Work out what you can do without access to your systems and data.
  • Identify your business insurance contact details
Business woman contacting a Zensec ransomware recovery service

Who are we and what experience do we have in responding to cyber incidents?

We are accredited to ISO 27001 and recognised by the UK’s National Cyber Security Centre (NCSC).

We provide comprehensive cyber risk management services, with a core focus on Digital Forensics and Incident Response (DFIR). Our capabilities are driven by a 24/7 Security Operations Centre and a dedicated in-house intelligence team that delivers timely, actionable threat reporting.

With decades of collective cyber security experience, we have the expertise to assume operational ownership of your entire IT security architecture – simplifying and strengthening cyber security across your business.

As an Assured Service Provider for Cyber Incident Response (CIR) at the Standard Level. This accreditation demonstrates our ability to deliver high-assurance, effective support in response to a wide range of cyber threats.

Your NCSC-approved supplier is a specialist crime scene investigator who will:

  1. Isolate and preserve your environment for forensic investigation.
  2.  Identify where the data has been duplicated and issue a legal takedown order.
  3. Identify your data, application and systems restore points. These might be at different points in time and will need to be carefully restored and reconstructed in a pristine environment.
  4.  Liaise with your business insurance company and if needed, with the Police.
  5. Advise you on notifying your customers of your situation.
  6. Rebuild your systems, restore your data and get you back to full operation. Note: This process can take between 2 weeks – 2 months.

 

Working with us

Our response process

Our team are ransomware recovery specialists with a proven, streamlined approach to resolving incidents quickly and effectively.

Step 1: Triage

We deploy our incident response team the same day. From the first call, we begin onboarding, introduce key stakeholders, set communication schedules, and start gathering critical information to guide the response.

Step 2: Investigation

DFIR (Digital Forensic Incident Response) teams investigate breaches to identify vulnerabilities, attack vectors, and system impacts from ransomware such as Data Loss (PII). We deliver clear forensic insights to guide mitigation.

Step 3: Contain

Our onsite and remote teams act fast to stop the attack in its tracks. That includes isolating affected systems, removing malicious code, and putting protections in place to prevent further spread or damage.

Step 4: Remediate & Eradicate

Once contained, we work to fully eliminate the threat. This includes fixing exploited vulnerabilities, restoring systems to a secure state, and ensuring no traces of the attack remain.

Step 5: Recover

Our incident response teams help get your business back to normal. We restore access to systems, recover data, and ensure services are safe, stable, and functioning, with minimal downtime.

Step 6: Post Incident

We conduct a full review of the incident response and recovery efforts. Together we assess what happened, what worked, and what can be improved, helping you build stronger defences for the future.

Forensic analysis to drive recovery

Our process includes a thorough digital forensic analysis from step two where the output becomes a central component of business recovery. This is because understanding the attack is of critical importance:

  • Informing an initial infection date

  • The extent and spread of infection

  • Data exfiltration having an impact on regulatory positions

  • Ensuring that the attacker and any tooling or artefacts they leave behind are eradicated

It is critical that the analysis of digital evidence is carried out to an agreed plan.

Maximising early root cause discovery and legal leverage

The process is purpose-built to uncover the root cause as early as possible, which is essential to inform remediation / eradication and recovery as well as supporting a legal take-down case if this is applicable. A legal take-down means we can assist in the legal enforcement that stops the criminals from publishing the data, thus undermining the ransom notice.

Our Digital Forensic and Incident Response (DFIR) teams maintain consistent communication throughout. Dedicated Incident Managers and technical engineering leads provide updates during the Cyber Incident Response journey, utilising risk registers and working within change management processes, all from triage through to post-incident, delivering successful business recovery.

Key take aways

  • You will not be able to access your systems or data.
  • It is advised to disconnect from the internet and shut down your systems, including PCs, to prevent further infections.
  • Your Office 365 system might also be compromised, allowing the attackers to monitor your responses. Avoid communicating with individuals through your primary email or team systems.
  • Threat actors typically infiltrate your system at least 2-4 weeks before you become aware of the attack. Your data will have already been exfiltrated. If your system is encrypted, this was not an overnight event.
  • Ransom demands in the UK typically range from £500,000 to £3 million, with some sectors, like education, facing demands that exceed £5 million
  • Paying the ransom may violate financial sanctions, which is a criminal offence and could result in a custodial sentence or further financial penalties.
  • If your data is sold or published online, it puts your customers and staff at risk, potentially implicating you in a Data Protection breach.
  • You will need to submit a data takedown request to the initial location where the data was transferred.
  • Do not overwrite the encrypted data. It is crucial to determine when the infection began and where the data was sent.
  • Avoid rebuilding from the latest backup, as it is likely to be infected.

Why should I trust Zensec to do this work rather than my IT team?

A forensic analysis needs to be meticulous and a clean restore and recovery requires a wealth of experience not normally available in an in-house team who must provide a broader range of IT support skills:

Internal IT teams don’t have the necessary skill set to resolve security encryption issues themselves. 

IT teams may recover to the same position with indicators of compromise ready to do it again… which can lead to another breach.

Internal teams are pressured to restore business operations and may recover before forensic analysis even begins, potentially destroying the crime scene before completion.

Why choose us?
We can help

Frequently asked questions

Key information when you’re under pressure.

Yes, ThreeAM is a form of ransomware. It encrypts data on the target system and demands payment for decryption keys, often threatening to leak exfiltrated data unless the ransom is paid. As one of the more recent emerging threats, ThreeAM combines manual deployment with data extortion tactics, making it particularly dangerous for organisations lacking strong cyber security defences.

The ThreeAM ransomware entered your system by one of several possible methods:

  • Compromised credentials

  • Phishing attacks

  • Vulnerabilities in remote services

In many cases, the attack begins when a compromised computer is used as a foothold, often through the actions of a tech support team member unknowingly allowing remote access or through the misuse of privileged accounts.

A threat intelligence analyst would identify this as part of a broader pattern of targeted, hands-on ransomware operations. To reduce the risk of future incidents, we recommend adopting the following policies:

  • Educate your staff on the importance of cyber security

  • Enforce the use of strong passwords

  • Enable multi-factor authentication

  • Remove unused or old user accounts

  • Perform regular, tested backups

  • Deploy timely updates to all software and systems

After recovering from a ThreeAM ransomware attack, Zensec strongly advises updating your business continuity plan to reflect the lessons learnt during the incident and recovery process.

A ransomware attack presents the most significant threat to your business by:

  • Disabling your access to systems, which could hinder machinery operation or impede progress through your business processes.
  • Blocking access to critical data concerning suppliers, shipments, customers, orders, or steps in your business workflow.

In the event of a business interruption, identifying your position in the supply chain and sustaining operations can be challenging. If the disruption continues, maintaining business continuity becomes critical. Once systems and data are restored, addressing backlogs and establishing future operational protocols are essential.

Ransomware ranks only behind receivership in terms of its capacity to incapacitate a business.

The NCSC is the UK National Cyber Security Centre. They provide cyber security guidance and support, helping to make the UK the safest place to live and work online. They have defined a Cyber Incident Response procedure and they have approved and accredited suppliers to provide this service.

https://www.ncsc.gov.uk/

As a recognised Assured Service Provider by the National Cyber Security Centre (NCSC), Zensec provide comprehensive cyber risk management services that are designed to Protect, Detect & Mitigate cyber security threats across the UK.

Report Fraud is the UK's national reporting centre for fraud and cybercrime. Whether you have been scammed, defrauded, or experienced cybercrime in England, Wales, or Northern Ireland, Report Fraud offers a central point of contact for information on fraud and financially motivated cybercrime.

https://www.reportfraud.police.uk/https://www.actionfraud.police.uk/

Facing genuine pressure, there's a crucial decision to make - one that could rescue your organisation from weeks of operational standstill, reputation damage, and client data loss. Yet, the probability of a favourable outcome remains slim, emphasising the importance of engaging a specialised ransomware incident response team. They are your most viable recourse for navigating a ransomware incident.

The NCSC have documented the deliberations for paying ransomware: https://www.ncsc.gov.uk/ransomware/home

Important Reminder: It is a criminal offense to pay money to people who are subject to financial sanctions. The list of who is subject to financial sanctions is constantly changing.

The latest iteration can be found here: https://www.gov.uk/government/publications/financial-sanctions-consolidated-list-of-targets

ThreeAM operators typically gain remote access through compromised user accounts, phishing attacks, or exploiting vulnerabilities in remote services like RDP. Once inside, they manually deploy the ransomware to maximise impact.

After gaining initial remote access, ThreeAM attackers perform lateral movement by compromising additional user accounts or virtual machines. This allows them to navigate through the network, escalate privileges, and deploy ransomware more broadly across the target environment.

Dealing with a ransomware attack?
Our ransomware recovery service can help

Our expert team works quickly to contain the breach, recover your data, and restore your systems to full operation. We’ll guide you through every step of the recovery process and help strengthen your defences to prevent future attacks. Regain control with Zensec - trusted support when it matters most.

Contact us