Security News > 2024 > January > Researchers link 3AM ransomware to Conti, Royal cybercrime gangs
Security researchers analyzing the activity of the recently emerged 3AM ransomware operation uncovered close connections with infamous groups, such as the Conti syndicate and the Royal ransomware gang.
The 3AM ransomware gang's activity was first documented publicly in mid-September when the Threat Hunter Team at Symantec, now part of Broadcom, revealed that they noticed threat actors switching to ThreeAM ransomware after failing to deploy the LockBit malware.
According to researchers at French cybersecurity company Intrinsec, ThreeAM is likely connected to the Royal ransomware group - now rebranded as Blacksuit, a gang of former members of Team 2 within the Conti syndicate.
The link between 3AM ransomware and the Conti syndicate became stronger as Intrinsec progressed in their investigation of the group's tactics, infrastructure used in attacks, and communication channels.
3AM ransomware replied with a link to 3AM's data leak site on Tor network to tweets from the victim as well as various accounts, some with hundreds of thousands of followers, such as the example below.
The Conti cybercrime syndicate was the largest and most aggressive ransomware operation between 2020 and when it shut down in May 2022 following a data breach known as Conti Leaks.