The Health Sector Cybersecurity Coordination Center (HC3) has provided data about the Trinity Ransomware group, a comparatively new threat actor that appeared in May 2024 and has carried out no less than two ransomware attacks on healthcare organizations, one in the U.S. and one in the U.K.
The victim in the U.K. provides cosmetic dentistry services in Jersey, and the victim in the U.S. provides gastroenterology services. Trinity claims responsibility for stealing 330 GB of data when it attacked Rocky Mountain Gastroenterology. The group carried out two of the ten known attacks on healthcare companies and is regarded as a considerable threat to the healthcare sector in the U.S.
Like other ransomware groups, Trinity ransomware uses double extortion, performing data theft before encrypting data files. The group requires the victim to pay the ransom to retrieve the decryption keys and stop the exposure of the stolen information on its dark web data leak website. Victims get 24 hours to contact the group, or they will be listed in the data leak site of the threat group. When no ransom payment is made within the given period, the group states it will publish the stolen information on its leak website. The group manages a support website that gives victims the choice of adding an encrypted file of under 2MB to try out the decryption.
According to security researchers, some things are similar between Trinity ransomware, 2023Lock and Venus, which indicates that there are likely connections between the three ransomware groups. Trinity ransomware actors were discovered using several ways for preliminary access to the network of victims such as software vulnerability exploitation, phishing emails, and infection with malware.
When the group gains access to the network, system data is obtained such as the number of processors, connected drives, and available threads. The data is used for improving its multi-threaded encryption procedures. Efforts are made to elevate privileges using a token of a legit process, and success allows avoidance of security processes.
The ransomware group conducts a network scan, moves laterally within the system, steals information, and then initiates file encryption across multiple devices. Files that are encrypted are given the “.trinitylock” file extension. After encryption, the group leaves a ransom note on the desktop or in the impacted folders and changes the desktop wallpaper. Victims are told to get in touch with the group through email to know how much ransom they need to pay to decrypt their files and stop the exposure of the stolen information.
HC3 has provided information regarding the group’s potential tactics, techniques, and procedures, along with a YARA rule, indicators of compromise, and suggested mitigation strategies. It would be helpful for healthcare organizations to include these in their HIPAA training.
Image credit: Have a nice day, AdobeStock
