Trinity Ransomware: The Enigma of the .trinitylock

Overview:

• Relatively new ransomware group (first observed May 2024).
• Employs double extortion: data exfiltration before encryption.
• Uses ChaCha20 encryption algorithm; “.trinitylock” file extension.
• Operates victim support and data leak websites.
• Confirmed victims in US and UK healthcare sectors.
• Possible links to 2023Lock and Venus ransomware groups.
• No readily available decryption tools; high impact on victims.

Known Aliases of Trinity Ransomware:

Trinity Ransomware. Possible links to 2023Lock and Venus ransomware, implying potential shared infrastructure or development.

Country of Origin:

Not known.

Known High-Profile Victims of Trinity Ransomware:

No clear information on victims, however HC3 report, while mantianing the confedentiality has given out these details of victims:

• The report mentions at least one healthcare entity in the United States as a recent victim.
• A United Kingdom-based healthcare provider is also listed as a victim.
• A U.S.-based gastroenterology services provider was targeted, with Trinity claiming access to 330 GB of data.
• A total of seven victims have been identified to date.

Trinity Ransomware MITRE ATT&CK Tactics and Techniques:

• Execution: T1204.002 (User Execution) – Using malicious files.
• Defense Evasion: T1134 (Access Token Manipulation) – Impersonating legitimate process tokens.
• Defense Evasion: T1140 (Deobfuscate/Decode Files or Information) – The binary contains encrypted strings.
• Discovery: T1083 (File and Directory Discovery) – Enumerating folders for encryption.
• Lateral Movement: T1570 (Lateral Tool Transfer) – Enumerating network shares and scanning the network.
• Impact: T1486 (Data Encrypted for Impact) – Encrypting data for extortion.
• Impact: T1491.001 (Defacement: Internal Defacement) – Changing desktop wallpaper.
• Impact: T1490 (Inhibit System Recovery) – Removing shadow copies.

Common Methods of Infiltration of Trinity Ransomware:

Several methods are used by Trinity for initial access:

1. Exploiting vulnerabilities in unpatched software or systems.
2. Phishing attacks (malicious attachments or links).
3. Compromising Remote Desktop Protocol (RDP) endpoints with weak or stolen credentials.

Malware/Ransomware Strain(s) Used by Trinity Ransomware:

The primary ransomware strain used is Trinity ransomware.

There are similarities between Trinity and 2023Lock and Venus ransomware, suggesting potential connections.

• Ransomware Type: Trinity is a double extortion ransomware, meaning it exfiltrates data before encrypting files, increasing pressure on victims to pay.
• Encryption Algorithm: It uses the ChaCha20 encryption algorithm.
• File Extension: Encrypted files are tagged with the “.trinitylock” extension.
• Ransom Note: The ransom note is delivered in both text and .hta formats and includes instructions, an onion site URL, and an email address for communication. Victims are given 24 hours to respond.
• Infrastructure: Trinity operates both a victim support site (for decryption attempts of small files) and a data leak site.