ThreeAM is a ransomware threat actor active by at least late 2023 and observed continuing operations through 2026. The group is known primarily for extortion-oriented intrusions in which victim organizations are publicly named after alleged data theft and ransomware deployment. Reported victimology indicates broad, opportunistic targeting across multiple regions, including North America, Europe, Latin America, Asia, and Australia, and across sectors such as technology, legal services, healthcare-related organizations, education, agriculture and food production, industrial and business services. ThreeAM has been identified in ransomware reporting as an emerging group first observed in the fourth quarter of 2023. Available high-confidence information supports characterization as a financially motivated cybercriminal operation rather than a nation-state actor. Publicly attributed activity shows no consistent sector specialization and instead reflects a multi-industry targeting pattern typical of modern big-game hunting and data-extortion ransomware crews. Operationally, ThreeAM is associated with ransomware attacks that are also described as data breaches, indicating use of double-extortion style pressure in at least some cases. Public reporting tied to the group centers on victim claims and leak-site style exposure rather than detailed technical tradecraft, so specific intrusion vectors, malware lineage, tooling, persistence mechanisms, and affiliate structure are not currently available from the provided evidence. No corroborated sub-groups or widely used alternate aliases are established beyond the stylized form of the name itself. ThreeAM should be tracked as a distinct ransomware actor whose known activity consists of naming victims across diverse geographies and industries, with extortion pressure apparently derived from both encryption and claimed data compromise. Technical attribution details remain limited, but the group fits the broader ecosystem of financially motivated ransomware operators that conduct disruptive intrusions and leverage public exposure of victims to increase coercive pressure.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a ransomware attack resulting in a data breach against tws-tac.net.
Conducting a ransomware attack against Guardian Barrier Services.
Conducting a ransomware attack against acemacon.org.
Conducting a ransomware attack against mgrlaw.com, a US law firm in the business services sector.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.