3AM Ransomware Claims to Extort Italy’s Aerospace Security Company Leonardo SpA

• The 3AM ransomware group claimed a cyber attack on an Italian aerospace and defense security products manufacturer. 
• ThreeAM's leak site published unspecified user information allegedly from the firm, Leonardo SpA.
• The breach claim mentioned 62 third-party entities connected to the company.

The 3AM ransomware group claimed that they targeted the Italian multinational company, Leonardo SpA, which manufactures aerospace, defense, and security products. The leak site post published on February 13 claimed a ransomware attack on Leonardo. 

The threat intelligence platform Falcon Feeds posted this screenshot of 3AM’s leak website:  

The ransomware claim was made on February 13. An automated summary of the claim posted by RedPacket Security, an InfoSec News portal read that information about users and third-party entities was impacted.

Although the summary further adds that 39 users' data was exposed based on the extracted data from 3AM/ThreeAM' post, it does not state what specific user information was disclosed.  

The summary also mentioned 62 third-party entities connected to the Italian aerospace manufacturer. Not making any user data public indicates that 3AM members were likely waiting for a deadline for the ransom payment before leaking any data. 

The Italian news publication, Nextwork360, stated that a sample analysis of the leaked data amounting to 13.43MB might lead to Leonardo’s suppliers, Cae (Canadian aerospace giant) and Rotorsim (joint venture between Cae and Leonardo).

A translated statement by Leonardo on X denied the claims saying, “Leonardo specifies that the rumors according to which the hacker group ThreeAM violated the corporate IT systems of Leonardo Spa are completely unfounded.” 

We approached Leonardo for a comment and received a similar response as posted on X clarifying that the threat actor's claims are merely rumors and that there is no evidence to prove unauthorized access impacting Leonardo Spa's IT systems.

3AM has been active since 2023 and follows the common pattern of encrypting data on targeted systems. The ransomware is written in Rust programming language and the cybercriminals behind the group were found communicating in the Russian language.

A Tripwire report about the 3AM ransomware read, “The 3AM ransomware renames encrypted files so they have a ".threeamtime" extension and adds a marker string of "0x666".

The ThreeAM ransomware also wipes volume shadow copies to cause more damage by making the files difficult to recover. 

It is speculated that 3AM was initially developed as a ‘backup option’ for the LockBit ransomware, to be used if the latter failed in successfully launching a cyber attack.