Cybersecurity researchers at Cyble's Research and Intelligence Labs (CRIL) have uncovered a new ransomware variant called Trinity, which employs a double extortion strategy and has potential links to the previously identified Venus ransomware.
This article explores the findings about the Trinity ransomware strain as well as the noted similarities between the Trinity and Venus ransomware strains.
Uncovering Tactical and Technical Details of Trinity Ransomware
CRIL researchers
observed a new ransomware variant called Trinity, that employs common double extortion tactics such as exfiltrating data from victim's systems before encrypting them, and the intent to use both a support and leak site in their operations.
The support site allows victims to upload sample files less than 2MB in size for decryption, while the leak site though currently empty, threatens to expose victim
data.
[caption id="attachment_68024" align="alignnone" width="940"]
Source: Cyble Blog[/caption]
Upon initial stages of the investigation, researchers observed similarities between the Trinity
ransomware and the 2023Lock ransomware which has been active since early 2024. The deep similarities between the two variants such as identical ransom notes, and code suggest that Trinity might be a newer variant of the 2023Lock ransomware.
Researchers noted an intricate execution process in the ransomware's operations such as a search for a ransom note within its binary file and immediately terminates if the file is unavailable. The ransomware collects system information such as the processor count, the pool of threads, and existing drives to prepare its multi-threaded encryption process.
The ransomware then attempts
privilege escalation by impersonating a legitimate process's token for its own usage, enabling the ransomware to bypass security measures. The ransomware deploys network enumeration activity along with lateral movement, demonstrating broad attack capability.
[caption id="attachment_68025" align="alignnone" width="547"]
Source: Cyble Blog[/caption]
The Trinity variant employs the ChaCha20 algorithm to encrypt of victim files. After encryption, filenames are appended with β.trinitylock,β while ransom notes are left in both text and .hta formats in. The ransomware also modifies the desktop wallpaper to the ransomware note and uses a specific registry key to facilitate this change.
Similarities Between Trinity Ransomware and Venus Ransomware
The connections between Trinity and Venus go beyond mere similarities in their ransom notes and registry usage.
Venus, an established ransomware operation with a global reach, emerged around mid-2022. The similarities between Venus and Trinity extend to their usage of identical registry values and consistency in their mutex naming conventions and code base.
Additionally, the ransom notes used by both ransomware variants exhibit a similar format. The shared tactics and techniques indicate a possible collaboration between the two groups. This collaboration could lead to the exchange of techniques, tools, and infrastructure, amplifying the scale and sophistication of future ransomware campaigns.
CRIL researchers have
advised organizations to stay vigilant and implement robust cybersecurity measures to protect against these evolving threats.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Login