threeam

Ransomware group profile

9Victims

RussiaSource country

51Impact score

Also Known As

Time 3AM

Description

Threeam is a ransomware group that emerged in February 2023, known for its quick deployment and sophisticated encryption methods. Primarily motivated by financial gain, they employ double extortion tactics to pressure high-value organizations into paying ransoms after encrypting their data and exfiltrating sensitive information.

Key insights

•Utilizes custom-built ransomware variants written in Rust.
•Employs social engineering tactics to gain initial access, including phishing and voice phishing.
•Focuses on double extortion by encrypting files and threatening to release sensitive data publicly.
•Targets high-value sectors such as healthcare and financial services.
•Uses advanced evasion techniques like disabling security software and deleting Volume Shadow Copies.
•Linked to other ransomware operations like LockBit and Conti, indicating a collaborative nature among threat groups.

Industries

Education Energy & Utilities Government & Defense Healthcare Hospitality Manufacturing Other Professional Services Technology Transportation

Threat Level & Status Breakdown

For threeam · Based on incidents in selected period

2.3threat level

Aggressiveness2.3/ 10

Lethality0/ 10

Criticality5/ 10

Status Breakdown

Claimed100.0%9

First seenNov 2025

Last seenMay 2026

Avg ransom—

Payment rate—

Statusactive

Sophistication0

Last updatedJun 2, 2026

Recent activity

Monthly attack count for threeam in the selected period

9Total attacks

8peak in May

4.5avg / month

↑ 7 vs first month

No intelligence data for this group.

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for threeam

Other

T1486

T1490

T1021

T1562

T1080

T1078

T1547

T1041

T1021.001

T1059

Victims(9)

Company	Domain	Country	Industry	Status	Discovered
wyomingcountyny.gov	wyomingcountyny.gov	US United States	Government & Defense	Claimed	about 1 month ago
sequoiadental.com	sequoiadental.com	US United States	Healthcare	Claimed	about 1 month ago
townofnorwell.net	townofnorwell.net	US United States	Government & Defense	Claimed	about 1 month ago
curedentalbeltontx.com	curedentalbeltontx.com	US United States	Healthcare	Claimed	about 1 month ago
austinplasticandreconstructivesurgery.com	austinplasticandreconstructivesurgery.com	US United States	Healthcare	Claimed	about 1 month ago
hsjlawyers.com	hsjlawyers.com	CA Canada	Professional Services	Claimed	about 1 month ago
bun.nl	bun.nl	NL Netherlands	Other	Claimed	about 1 month ago
ic-controls.com	ic-controls.com	DE Germany	Manufacturing	Claimed	about 1 month ago
aceforwarding.com	aceforwarding.com	US United States	Transportation	Claimed	about 1 month ago

Affected countries(14)

Countries where this group has been reported to target or leak victims.

🇦🇺Australia 🇧🇩Bangladesh 🇧🇷Brazil 🇩🇪Germany 🇪🇨Ecuador 🇪🇸Spain 🇫🇮Finland 🇫🇷France 🇬🇧United Kingdom 🇮🇹Italy 🇯🇵Japan 🇲🇾Malaysia 🇸🇪Sweden 🇺🇸United States