HHS Issues Warning About Trinity Ransomware Following Healthcare Attacks
The Health Sector Cybersecurity Coordination Center (HC3) has shared information on the Trinity Ransomware group, a relatively new threat actor that emerged in May 2024 that has conducted at least two attacks on healthcare providers, one in the United States and one in the United Kingdom.
The UK victim is a cosmetic dentistry practice in Jersey, and the U.S. victim is a provider of gastroenterology services. Trinity claims to have stolen 330 GB of data in the attack on Rocky Mountain Gastroenterology. Since the group has conducted at least two attacks on healthcare companies out of ten known attacks, the group is considered to pose a significant threat to the U.S. healthcare sector.
Like many other ransomware actors, Trinity ransomware engages in double extortion, stealing data before encrypting files. Victims are told to pay the ransom to obtain the decryption keys and prevent the publication of the stolen data on its dark web data leak site. Victims are given 24 hours to make contact, or they will be added to the group’s data leak site. If the ransom is not paid within the allocated time frame, the group claims it will upload the stolen data to its leak site. The group maintains a support site that provides victims with the option of uploading an encrypted file of less than 2MB to test decryption.
Trinity Ransomware Data Leak SIte.
Security researchers have identified similarities between Trinity ransomware and two other ransomware groups, 2023Lock and Venus, which suggests possible connections between the threat groups. Trinity ransomware actors have been observed using a variety of methods for initial access to victims’ networks including phishing emails, the exploitation of software vulnerabilities, and malicious websites hosting malware.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Once access has been gained, system information is collected including the number of processors, available threads, and connected drives, and that information is used to optimize its multi-threaded encryption operations. Attempts are made to escalate privileges by impersonating a token of a legitimate process, and if successful, it allows security processes to be evaded.
The group then scans the network, moves laterally, steals data, and then attempts file encryption on multiple systems. Encrypted files have the .trinitylock file extension. Following encryption, a ransom note is dropped on the desktop or within the directories where files have been encrypted, and the desktop wallpaper is changed. Victims are required to contact the group via email to find out how much they must pay to decrypt files and prevent the publication of stolen data.
HC3 has shared likely tactics, techniques, and procedures used by the group, indicators of compromise, a YARA rule, and recommended mitigations. You can view the HC3: Trinity Ransomware Threat Actor Profile here.
