The crew behind the 3AM strain of ransomware has been hitting companies using a familiar playbook: flood the target with junk emails, follow up with a fake IT call, and convince someone to hand over remote access. It’s not new, but it still works. Probably more than it should.
This kind of attack was first seen with the Black Basta gang, then picked up by FIN7. Thanks to leaked chat logs and shared templates, it’s now being copied by others. Sophos tracked 55 attacks between November and January that used the same tactics, tied to two different threat actor groups.
In a case from early 2025, attackers went after a Sophos customer using a spoofed phone number that matched the company’s internal IT help desk. At the same time, they launched an email bombing run—24 emails in under three minutes—to stir up panic. Then came the call. The fake tech support rep told the employee there was suspicious activity and got them to open Microsoft Quick Assist and grant access.
Once inside, the attacker pulled down a malicious file from a phony domain. It contained a VBScript, a Windows 7 image preloaded with the QDoor backdoor, and QEMU, a virtualization tool they used to tunnel network traffic and avoid detection.
From there, they ran internal scans using PowerShell and WMIC, created a local admin account, installed the remote management tool XEOXRemote, and eventually compromised a domain admin account.
Sophos did stop the attacker from moving laterally or disabling defenses, but not before 868 GB of data was stolen and uploaded to Backblaze using the GoodSync utility. Attempts to run the actual ransomware were blocked, so the damage was limited to data theft and one infected system.
The attack ran for nine days. Most of the data was gone by day three. Sophos locked them out before they could push further.
To prevent this kind of breach, Sophos recommends tightening up admin accounts, blocking tools like QEMU and GoodSync using XDR, and locking down PowerShell to signed scripts only. Maintaining updated blocklists based on current threat intel doesn’t hurt either.
But all the tools in the world won’t help if someone picks up the phone and gives control to the wrong person. This stuff works because it’s personal. If your people aren’t trained to spot it, it’s only a matter of time.
The 3AM group has been active since late 2023 and has ties to the Conti and Royal ransomware operations.
