Sophos reports a targeted 3AM ransomware attack on one of its clients in the first quarter of 2025. The attackers used email bombing and spoofed IT support calls to gain access to corporate systems. Through this, they exfiltrated 868 GB of data to Backblaze cloud storage. Although Sophos' products blocked lateral movement and defense deactivation attempts, the damage was contained to data theft and the encryption of the compromised host. The attack lasted 9 days, with data theft concluded by day three.
TPRM report: https://scoringcyber.rankiteo.com/company/sophositservices
"id": "sop514052325",
"linkid": "sophositservices",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'name': 'Sophos client', 'type': 'Corporate'}],
'attack_vector': ['Email bombing',
'Spoofed IT support calls',
'Vishing',
'Microsoft Quick Assist abuse'],
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '868 GB of data'},
'date_detected': 'Q1 2025',
'description': 'A 3AM ransomware affiliate conducted highly targeted attacks '
'using email bombing and spoofed IT support calls to socially '
'engineer employees into giving credentials for remote access '
'to corporate systems.',
'impact': {'data_compromised': '868 GB of data'},
'initial_access_broker': {'backdoors_established': ['QDoor backdoor'],
'entry_point': ['Email bombing',
'Spoofed IT support calls']},
'lessons_learned': ['Importance of employee awareness',
'Auditing administrative accounts',
'Blocking unapproved legitimate tools'],
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': ['Auditing administrative '
'accounts',
'Using XDR tools to block '
'unapproved tools',
'Enforcing signed scripts '
'via PowerShell execution '
'policies',
'Increasing employee '
'awareness'],
'root_causes': ['Social engineering',
'Remote access vulnerabilities']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransomware_strain': '3AM'},
'recommendations': ['Audit administrative accounts for poor security',
'Use XDR tools to block unapproved legitimate tools',
'Enforce signed scripts via PowerShell execution policies',
'Increase employee awareness'],
'references': [{'source': 'Sophos'}],
'response': {'containment_measures': ['Blocked lateral movement',
'Blocked defense deactivation attempts',
'Blocked ransomware encryptor'],
'remediation_measures': ['Auditing administrative accounts',
'Using XDR tools to block unapproved '
'tools',
'Enforcing signed scripts via '
'PowerShell execution policies',
'Increasing employee awareness'],
'third_party_assistance': ['Sophos']},
'threat_actor': ['3AM ransomware affiliate',
'Conti and Royal ransomware gangs'],
'title': '3AM Ransomware Attack on Sophos Client',
'type': 'Ransomware',
'vulnerability_exploited': ['Social engineering',
'Remote access vulnerabilities']}