At least one U.S. healthcare organization has fallen victim to a new ransomware called Trinity, federal authorities report.
The U.S. Department of Health and Human Services on Friday issued an advisory warning hospitals about the threat posed by ransomware groups, noting that their tactics and techniques pose a “significant threat” to the U.S. medical and public health sectors.
The department's Health Sector Cybersecurity Coordination Center is “aware of at least one healthcare organization in the United States recently falling victim to the Trinity ransomware,” officials said. According to the advisory, the ransomware was first discovered around May 2024.
At least seven victims of Trinity ransomware have been identified so far, including two healthcare workers. One company is a UK-based gastroenterology service provider, the other is a US-based gastroenterology service provider, and 330 GB of data was stolen. The facility, which has not been identified, is listed on Trinity's leaked website, which currently carries a banner saying it is experiencing technical issues and has limited access to its phone system. are.
Researchers reported another incident involving a New Jersey-based dental group.
The advisory notes that this ransomware strain “shares similarities with two other ransomware groups, 2023Lock and Venus, suggesting possible connections and cooperation between these threat actors.” .
This ransomware has characteristics of most other operations, exploiting common vulnerabilities to steal data and blackmail victims.
Once installed, the ransomware sends operational information to the system about the number of processors and attached drives available for attack. Operators scan networks for additional vulnerabilities that can be exploited to move laterally and further spread the ransomware.
Encrypted files have the file extension “trinitylock”. Once the encryption process is completed, a ransom note will be generated and placed on your desktop or Director along with the encrypted files.
The note includes instructions and an email address where you can contact the hacker. Victims have 24 hours to respond and pay the ransom in cryptocurrencies. If you don't pay, your data will be compromised.
According to HHS, there is currently no decryption method available, leaving “victims with few options.”
The operator operates two different sites. One is a decryption assistance site to help those who paid the ransom, and the other is a site that displays stolen data to blackmail victims.
“Identical ransom note and code”
Federal experts found that the Trinity and Venus ransomware strains have similarities in code base and tactics, including the use of the same types of encryption algorithms and similar registry values and naming conventions. He said he did.
Similarly, Trinity shares characteristics with 2023Lock, including “identical ransom note and code,” suggesting that Trinity may be a new variant of it.
The Healthcare Sector Cybersecurity Coordination Center previously issued an advisory on the Venus ransomware of 2022 following multiple attacks targeting the healthcare industry.
Several researchers at cybersecurity companies have also said that Trinity is a rebrand of Venus and 2023Lock, and ransomware expert Allan Liska told Recorded Future News that Trinity is a “particularly sophisticated ransomware. “But I don't think the attackers behind it are that sophisticated.” Either. ”
HHS warned that the link between Trinity, Venus, and 2023Lock “suggests a potential association or collaboration between threat actor groups.”
“This cooperation could lead to an exchange of technology, tools, and infrastructure, increasing the scale and sophistication of future ransomware campaigns,” they said.
HHS has previously issued advisories regarding the Royal, Cuba, Venus, Lorenz, and Hive ransomware groups.
After a slight decline in activity and revenue, ransomware activity continues to thrive despite increased law enforcement activity and industry pressure, with an estimated $450 million lost through attacks in the first half of 2024. I made money.
Attacks on the healthcare industry continue to take a significant toll on communities across the country Last week, a ransomware attack forced a Texas hospital, the only Level 1 trauma center within 400 miles, to limit operations and cut back on ambulance service. I was forced to refuse.
The hospital said Friday that phone lines have been restored and only some ambulance patients are being transferred to other hospitals.
recorded future
intelligence cloud.
learn more.
