A familiar playbook with a twist: 3AM ransomware actors dropped virtual machine with vishing and Quick Assist news.sophos.com/en-us/202…

Ransomware is usually a crime of opportunity. Attackers typically strike through an easily-discovered vulnerability or security weakness— unpatched Internet-facing software, vulnerable network edge devices or exposed inbound virtual private network ports lacking multifactor authentication are among the most common points of initial compromise. However, some attacks appear much more targeted and include significant pre-attack reconnaissance and identification of specific organization employees as targets.

Sophos has been tracking multiple ransomware actors leveraging an attack pattern first reported by Microsoft in May 2024 in connection with the threat group designated Storm-1811: using “email bombing” to overload a targeted organization’s employee with unwanted emails, and then making a voice or video call over Microsoft Teams posing as a tech support team member to deceive that employee into allowing remote access to their computer. Between November 2024 and mid-January 2025, Sophos documented two distinct threat clusters using these techniques in over 15 incidents. Further hunting has found over 55 attempted attacks using this technique.

in the first quarter of 2025, Sophos Incident Response aided an organization targeted by attackers affiliated with the 3AM ransomware group. The pattern followed other email bombing attacks in many ways. But there were many aspects of the attack that made it stand apart from previous Teams “vishing” incidents connected to the two threat clusters Sophos had previously associated with these tactics.

In this case, the attacker used a phone call that spoofed the phone number of organization’s IT department. The attack included deployment of a virtual machine to a compromised computer, providing the attackers with an initial foothold hidden from the view of endpoint protection software. The ransomware attack itself was thwarted, but the attackers were able to stay on the network for 9 days before attempting to launch ransomware. They succeeded in stealing data from the targeted organization’s network.