Trinity ransomware, identified by CRIL, demonstrates a double-extortion approach and links to 2023Lock and Venus campaigns, expanding its global impact through victim support and data-leak infrastructure. The analysis details ChaCha20-based encryption, registry tweaks to deface desktops, mutex conventions, and multi-stage execution techniques that reveal a broader threat actor ecosystem. #TrinityRansomware #2023Lock #VenusRansomware #CRIL #Cyble
Keypoints
- CRIL identifies a new ransomware variant named Trinity that uses double extortion (data exfiltration plus encryption).
- Trinity operators use both a victim support site and a data leak site, with the leak site currently not displaying victims.
- CRIL notes strong similarities between Trinity and 2023Lock (shared ransom note format and codebase), suggesting Trinity may be a new variant of 2023Lock.
- Similarities with Venus ransomware (shared registry values and mutex naming conventions) imply a potential common threat actor.
- Trinity employs ChaCha20 encryption, appends a “.trinitylock” extension, and uses text and .hta ransom notes, plus wallpaper defacement via registry changes.
- Technical analysis shows dynamic function resolution, COM object creation, WMI shadow copy operations, mutex checks, privilege adjustments, registry key manipulation, and multithreaded file encryption.
MITRE Techniques
- [T1204.002] User Execution – Brief description of how it was used. Quote: ‘Malicious file.’
- [T1134] Access Token Manipulation – Brief description of how it was used. Quote: ‘Impersonates Tokens’
- [T1140] Deobfuscate/Decode Files or Information – Brief description of how it was used. Quote: ‘The binary contains encrypted strings.’
- [T1083] File and Directory Discovery – Brief description of how it was used. Quote: ‘Ransomware enumerates folders for file encryption.’
- [T1570] Lateral Tool Transfer – Brief description of how it was used. Quote: ‘Enumerates network shares and scans the network.’
- [T1486] Data Encrypted for Impact – Brief description of how it was used. Quote: ‘Ransomware encrypts the data for extortion.’
- [T1491.001] Defacement: Internal Defacement – Brief description of how it was used. Quote: ‘Changes desktop wallpaper.’
- [T1490] Inhibit System Recovery – Brief description of how it was used. Quote: ‘Removes Shadow copies.’
Indicators of Compromise
- [Hash] Trinity Ransomware – 949c438e4ed541877dce02b38bf593ad, 4c58d2d624d9bdf6b14a6f8563788785074947a7, and 36696ba25bdc8df0612b638430a70e5ff6c5f9e75517ad401727be03b26d8ec4
Read more: https://cyble.com/blog/in-the-shadow-of-venus-trinity-ransomwares-covert-ties/