Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Skip to main content

3AM ransomware

3AM ransomware

Also known as: ThreeAM

Category: Malware

Type: Ransomware

Platform: Windows

Variants: N/A

Damage potential: unauthorized access, data theft, installation of undesirable software, malware infection, file corruption and loss, stolen keystrokes, system performance issues, network connectivity problems, browser interference.


3AM ransomware is a new strain of ransomware designed to encrypt and steal files on your device unless you pay a ransom. It is also capable of stealing files from the local network, and as a result, this malware is often used to attack businesses. Cyber researchers have noticed that 3AM ransomware is used as a fallback when another type of ransomware, Lockbit, is discovered and blocked.

Possible symptoms

If 3AM is ever used against your network successfully, you’ll likely experience a slowdown in device performance followed by a text file (RECOVER-FILES.txt) containing a ransomware message starting something like this:

“Hello. ‘3 am’ The time of mysticism, isn’t it? All your files are mysteriously encrypted, and the systems ‘show no signs of life,’ the backups disappeared. But we can correct this very quickly and return all your files and operation of the systems to their original state.”

While the message’s contents may differ, the attackers will likely warn you that they will sell your data if you don’t pay, and they will give instructions on how to buy cryptocurrency and pay them with it.

Other symptoms of 3AM may include:

  • Files with the .threeamtime extension.

  • Some files are no longer accessible.

  • Disabled security programs such as your antivirus.

  • Browsers may be blocked from visiting security sites or redirected to the attackers’ websites.

Sources of the infection

If attackers target your company, they will probably use spear phishing to trick one of your employees into opening a malicious attachment. However, just like most ransomware, 3AM ransomware is spread through illegal downloads or by clicking on a malicious link in an email.


3AM ransomware is new, so discovering and preventing it may be challenging. Ensuring your system and antivirus are up to date is crucial. Other ways to protect against 3AM ransomware include:

  • Double-check links and attachments with the sender before clicking on them. Attackers often use stolen credentials to spread malware. When that’s the case, the malicious message may come from someone in your email contacts or social media friends list. Wait until they confirm what they’re sending before clicking on it.

  • Only use official sources to download software updates. Ransomware and other types of malware are often spread through pirated software and fake updates.

  • Use Threat Protection. NordVPN’s Threat Protection can prevent 3AM ransomware because it scans files for malware before they’re downloaded.

Ultimate digital security