A growing number of cyberattacks are being carried out by a group linked to the 3AM ransomware. These attackers are using a combination of spam emails and fake phone calls pretending to be a company’s tech support team. Their goal is to fool employees into giving them access to internal systems.
This method, which has been seen in past cyber incidents involving other groups like Black Basta and FIN7, is becoming more widespread due to how effective it is. Cybersecurity company Sophos has confirmed at least 55 attacks using this approach between November 2024 and January 2025. These incidents appear to come from two different hacker groups following similar tactics.
In one recent case during early 2025, the attackers targeted a company using a slightly different method than before. Instead of pretending to be tech support over Microsoft Teams, they called an employee using a fake caller ID that showed the company’s actual IT department number. The call took place while the employee’s inbox was being flooded with dozens of spam emails in just minutes — a technique known as email bombing.
During the call, the attacker claimed the employee's device had security issues and asked them to open Microsoft’s Quick Assist tool. This is a real remote help feature that allows another person to take control of the screen. Trusting the caller, the employee followed instructions and unknowingly handed over access to the attacker.
Once inside, the hacker downloaded a dangerous file disguised as a support tool. Inside the file were harmful components including a backdoor, a virtual machine emulator (QEMU), and an old Windows system image. These tools allowed the attacker to hide their presence and avoid detection by using virtual machines to move through the network.
The hacker then used tools like PowerShell and WMIC to explore the system, created a new admin account, installed a remote support tool called XEOXRemote, and gained control of a domain-level account. Although Sophos security software stopped the ransomware from spreading and blocked attempts to shut down protections, the hacker managed to steal 868 GB of company data. This data was sent to cloud storage using a syncing tool called GoodSync.
The full attack lasted around nine days. The majority of the data theft happened in the first three days before the attackers were cut off from further access.
To protect against such attacks, Sophos suggests reviewing admin accounts for weaknesses, using security tools that can spot unusual uses of trusted programs, and setting strict rules for running scripts. Most importantly, companies should train employees to recognize signs of fake support calls and suspicious emails, as these scams depend on fooling people — not just machines.
The 3AM ransomware group is relatively new, first spotted in late 2023, but appears to have links with well-known cybercrime networks like Conti and Royal.
