3AM ransomware uses spoofed IT calls, email bombing to breach networks

A 3AM ransomware affiliate is conducting highly targeted attacks using email bombing and spoofed IT support calls to socially engineer employees into giving credentials for remote access to corporate systems.

This tactic was previously linked to the Black Basta ransomware gang and later observed in FIN7 attacks, but its effectiveness has driven a wider adoption.

Sophos reports seeing at least 55 attacks leveraging this technique between November 2024 and January 2025, linked to two distinct threat clusters.

Read more at Bleeping Computer