Recently spotted Trinity ransomware spurs federal warning to healthcare industry

At least one U.S. healthcare entity has fallen victim to a new ransomware strain called Trinity, according to a report from federal officials.

The U.S. Department of Health and Human Services published an advisory on Friday warning hospitals of the threat posed by the ransomware group, noting that its tactics and techniques make it “a significant threat” to the U.S. healthcare and public health sector.

The department’s Health Sector Cybersecurity Coordination Center “is aware of at least one healthcare entity in the United States that has fallen victim to Trinity ransomware recently,” officials said. The advisory said the ransomware was first spotted around May 2024.

At least seven victims of the Trinity ransomware have been identified so far and two are healthcare providers. One is based in the U.K. and the other is a U.S.-based gastroenterology services provider that had 330 GB of data stolen. The facility, which was not identified but is listed on Trinity’s leak site, currently has a banner on its website saying it is experiencing technical issues and has limited access to phone systems. 

Researchers have reported another incident involving a New Jersey-based dental group. 

The advisory notes that the ransomware strain “shares similarities with two other ransomware groups — 2023Lock and Venus — suggesting possible connections or collaborations among these threat actors.”

The ransomware carries the hallmarks of most other operations, exploiting common vulnerabilities to steal data and extort victims.   

Once installed, the ransomware sends operating information on the system about how many processors and connected drives are available to attack. The operators scan the network for additional vulnerabilities that can be exploited to move laterally and spread the ransomware further. 

Encrypted files are tagged with the “trinitylock” file extension. After the encryption process is completed, a ransom note is generated and placed on the desktop or within directors with encrypted files.

The note contains instructions and an email address where the hackers can be contacted. Victims have 24 hours to respond and pay a ransom in cryptocurrency or their data will be leaked.

No decryption method is currently available, according to HHS, “leaving victims with few options.”

The operators run two different sites — one for decryption assistance to help those who have paid ransoms and another to display stolen data to extort victims. 

'Identical ransom notes and code'

Federal experts said they found that Trinity and Venus ransomware strains have similarities in their codebase and tactics, including their use of the same kind of encryption algorithm as well as similar registry values and naming conventions.

Likewise, Trinity shares traits with 2023Lock such as “identical ransom notes and code,” suggesting that Trinity might be a newer variant of it. 

The Health Sector Cybersecurity Coordination Center previously released an advisory on the Venus ransomware in 2022 after several attacks targeting the healthcare industry. 

Several researchers at cybersecurity companies also have said that Trinity was a rebrand of Venus and 2023Lock, with ransomware expert Allan Liska of Recorded Future telling The Record that it “is not a particularly sophisticated ransomware strain and I don’t think the actors behind it are that sophisticated either.” The Record is an editorially independent unit of Recorded Future.

HHS warned that the links between Trinity, Venus and 2023Lock “suggests a potential link or collaboration among threat actor groups.” 

“This collaboration could lead to the exchange of techniques, tools, and infrastructure, amplifying the scale and sophistication of future ransomware campaigns,” they said. 

HHS has previously released advisories on the Royal, Cuba, Venus, Lorenz and Hive ransomware groups. 

After minor declines in activity and earnings, ransomware operations have continued to flourish despite increased law enforcement action and industry pressure, earning an estimated $450 million through attacks in the first half of 2024. 

The attacks on the healthcare industry continue to cause significant harm to communities across the U.S. Last week a hospital in Texas, the only level 1 trauma center within 400 miles, was forced to limit operations and turn away ambulances due to a ransomware attack.

On Friday, the hospital said its phone lines are back up and running and that only a select number of ambulance patients are being diverted to other hospitals.