Trinity Ransomware Analysis

Ransomware

October 7, 2024

The United States Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) released this Threat Actor Profile regarding a relatively new threat actor identified as Trinity Ransomware. Even though the analysis is focused on the Healthcare and Public Health (HPH) Sector, all agencies and organizations are encouraged to review the information contained in the Threat Actor Profile.

Trinity ransomware is a relatively new threat actor, known for employing a double extortion strategy. This method involves exfiltrating sensitive data before encrypting files, thereby increasing pressure on victims to pay the ransom. This ransomware uses the ChaCha20 encryption algorithm, and encrypted files are tagged with the .trinitylock file extension. Trinity operates a victim support site for decryption assistance and a leak site that displays their victims. It also shares similarities with two other ransomware groups—2023Lock and Venus—suggesting possible connections or collaborations among these threat actors. The group’s tactics and techniques are sophisticated, making them a significant threat to the US HPH. HC3 is aware of at least one healthcare entity in the United States that has fallen victim to Trinity ransomware recently.

This HC3 Threat Actor Profile provides an overview, likely tactics, techniques, and procedures, indicators of compromise, and recommended mitigations. This advisory is being provided to assist all agencies and organizations in guarding against the persistent malicious actions of cyber criminals.
Reporting
The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report.

Please do not hesitate to contact the NJCCIC at njccic@cyber.nj.gov with any questions.  Also, for more background on our recent cybersecurity efforts, please visit cyber.nj.gov.