ThreeAM is a ransomware threat actor and ransomware-as-a-service operation active by at least late 2023 and still observed in 2025–2026. The group is commonly referenced as ThreeAM, with aliases including threeam and three_am. It has been associated with opportunistic, multi-sector victimization across multiple regions, including North America, Europe, Latin America, Asia-Pacific, and Australia, with reported victims spanning business services, technology, legal services, healthcare-related organizations, education, agriculture, food production, and industrial-adjacent enterprises. ThreeAM is known for double-extortion style ransomware activity in which data theft accompanies encryption and victims are pressured through public exposure risk. Reported tradecraft includes social engineering by affiliates impersonating internal IT support, including spoofing an organization’s IT department telephone number to gain trust and facilitate access or execution. Affiliates have also been described modifying attack patterns and using defensive-evasion measures such as deploying a virtual machine on a compromised host to conceal their foothold from endpoint protection tooling. The group has been tracked in ransomware trend reporting focused on industrial and enterprise environments, but available high-confidence public information remains limited compared with more established major ransomware brands. No reliable public attribution links ThreeAM to a specific nation-state. It is best characterized as a financially motivated cybercriminal ransomware operation with affiliate-driven intrusion activity. Known aliases include Three AM, threeam, and three_am.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a ransomware attack resulting in a data breach against tws-tac.net.
Conducting a ransomware attack against Guardian Barrier Services.
Conducting a ransomware attack against acemacon.org.
Conducting a ransomware attack against mgrlaw.com, a US law firm in the business services sector.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.