3AM ransomware uses spoofed IT calls, email bombing to breach networks

A 3AM ransomware affiliate is conducting highly targeted attacks using email bombing and spoofed IT support calls to socially engineer employees into giving credentials for remote access to corporate systems. This tactic was previously linked to the Black Basta ransomware gang and later observed in FIN7 attacks, but its effectiveness has driven a wider adoption. Sophos reports seeing at least 55 attacks leveraging this technique between November 2024 and January 2025, linked to two distinct threat clusters. Those attacks followed the BlackBasta playbook, including email bombing, vishing via Microsoft Teams, and Quick Assist abuse. The leak of Black Basta's internal conversations helped other threat actors get up to speed, as it included a template to use during Microsoft Teams phishing attacks impersonating IT help desks. The 3AM ransomware attack, targeting a Sophos client, occurred in the first quarter of 2025 and used a similar approach but with a twist of real phone phishing in ... Read full article.