They are becoming more sophisticated, quieter and more convincing. Ransomware attacks no longer rely solely on technical breaches: they now exploit people's trust, stress and distraction. An affiliate of the 3AM ransomware has perfected this strategy, combining spoofed tech support calls with mass email bombardments in highly targeted attacks designed to get workers to reveal remote access credentials to corporate systems.
This social engineering tactic, previously seen in attacks linked to groups such as Black Basta and FIN7, has proven so effective that it is being adopted by other threat actors. In fact, dozens of incidents involving this technique have been detected between November 2024 and January 2025, underscoring its growing popularity among cybercriminals.
This type of attack follows almost to the letter the tactics already used by the Black Basta group: email bombardment, vishing calls via Microsoft Teams, and abuse of tools such as Quick Assist to take remote control of computers. In fact, when the internal conversations of that group were leaked, many other actors took advantage of the information. The leak even included ready-to-use templates for use in phishing campaigns via Teams, impersonating internal technical support staff. That gave many cybercriminals a solid base to replicate and adapt their attacks.
One such case was a 3AM ransomware attack in early 2025. Instead of using Teams, the attackers took a bolder step: they made a real phone call. Not only that, but they spoofed the number of the company's IT department, making the call look completely legitimate. All this happened while the victim was receiving a barrage of emails: 24 messages in just three minutes.
During the call, the attacker told the worker that suspicious activity had been detected on his computer and asked him to open Microsoft Quick Assist. Once the attacker had remote access, he downloaded a malicious file from a domain that looked authentic. That file contained a VBS script, a QEMU emulator and a ready-made Windows 7 image with a backdoor known as QDoor.
Thanks to QEMU, the attacker was able to hide his activity. All traffic passed through a virtual machine, which allowed him to move around the network undetected. From there, he performed system reconnaissance using PowerShell and WMIC, created a new local administrator account to later connect via RDP, installed a legitimate remote access tool called XEOXRemote, and finally compromised a domain administrator account.
Although the victim's security solutions managed to block some of the attacker's movements (such as attempting to move laterally across the network or disabling key defenses), they could not prevent the data theft. The attacker managed to extract 868 GB of data and uploaded it to a cloud account via GoodSync, a tool intended for backups.
In the end, the security systems also prevented the 3AM ransomware from encrypting the entire network, but the damage was done: loss of data, an encrypted machine and access that almost went unnoticed.
The ransom note published at 3 a.m. (Source: Sophos)
The attack lasted nine days, although the data theft ended on the third day, just before the security team managed to block the attackers and prevent them from continuing to move around the network.
After the incident, several recommendations were shared to prevent such attacks in the future. For example, review administrative accounts for weak settings or unnecessary permissions, and use XDR (extended detection and response) solutions to block legitimate tools that should not be there, such as QEMU or GoodSync, which attackers often exploit to evade detection.
Another key measure is to restrict script execution to only those that are signed and approved by the company, using PowerShell policies. This helps cut off a common avenue for malware execution.
It is also important to use known indicators of compromise (i.e., attacker fingerprints) to create block lists and filter connections from malicious sources.
However, no matter how good the technology, attacks such as mail bombing and voice phishing can only be effectively prevented if workers are well informed and prepared. Without awareness and training, everything else falls short. It is worth remembering that this 3AM ransomware campaign began in late 2023 and over time has been linked to dangerous groups such as Conti and Royal, making it clear that it is not the work of beginners.
At TecnetOne we have a SOC (Security Operations Center) that integrates XDR capabilities to provide continuous monitoring, event correlation and automated responses to threats in real time. This allows us to detect anomalous behavior, identify suspicious use of system tools and react quickly to intrusion attempts, even when advanced evasion techniques are used.
In addition, we manage centralized alerts, enforce customized security rules and provide complete visibility into critical endpoints and servers, strengthening protection against attacks such as 3AM ransomware.