The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Trinity Ransomware

Oct 18, 2024 2:30:02 PM / by The Hivemind

TRINITYRelated Families: Venus, 2023Lock
Verticals Targeted: Healthcare, Manufacturing, Business Services 

Executive Summary

Trinity ransomware, which was recently observed targeting the healthcare, manufacturing, and business services verticals, is an emerging threat. 

Key Takeaways

  • Trinity ransomware was first seen in the wild in May 2024.
  • It was recently observed targeting several verticals, including healthcare, manufacturing, and business services. 
  • Like many ransomware families, Trinity uses a double extortion model.
  • Industry researchers noted Trinity shares similarities with the Venus and 2023Lock ransomware families. 
  • PolySwarm analysts consider Trinity to be an emerging threat.  

What is Trinity?

Trinity is a relatively new ransomware family. It was recently observed targeting several verticals, including healthcare, manufacturing, and business services. The Department of Health and Human Services recently issued an advisory on Trinity ransomware. PolySwarm analysts consider Trinity to be an emerging threat.  

Trinity ransomware was first seen in the wild in May 2024. It is usually delivered via phishing, malicious websites, or exploiting software vulnerabilities. Once installed, Trinity gathers data about the victim machine to help optimize the multithreaded encryption process it uses. Trinity attempts to impersonate the token of a legitimate process in order to escalate privileges while evading detection. Trinity also scans the network and moves laterally, targeting multiple systems in a compromised network. 

Trinity uses ChaCha20 for encryption and appends the .trinitylock extension to encrypted files. Following encryption, Trinity creates a ransom note in both text and .hta formats and changes the infected machine’s wallpaper. Trinity uses a double extortion tactic. This involves encrypting victim files and demanding ransom to decrypt those files, as well as stealing victim data and threatening to leak it if the victim does not take the threat seriously. Victims must contact the ransomware operators within 24 hours of the attack. 

Researchers at Cyble have noted Trinity shares similarities with the Venus and 2023Lock ransomware families. Trinity and 2023Lock reportedly have identical code and identical ransom notes, suggesting Trinity may be the successor to 2023Lock. While Trinity still has a relatively low victim count compared to other ransomware families, Trinity’s targeting of entities in the healthcare vertical makes it a serious threat.

IOCs

PolySwarm has a sample of Trinity ransomware.

 

36696ba25bdc8df0612b638430a70e5ff6c5f9e75517ad401727be03b26d8ec4

 

You can use the following CLI command to search for all Trinity samples in our portal:

$ polyswarm link list -f Trinity

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Ransomware, Healthcare, Manufacturing, Emerging Threat, Trinity

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts