Fraud Management & Cybercrime , Healthcare , Industry Specific
Feds Warn Health Sector of New 'Trinity' Ransomware Threats
Gang Hits Victims with 'Sophisticated' Exfiltration, Encryption Extortion AttacksHealthcare sector entities have yet another ransomware group to worry about, warn U.S. federal authorities. Trinity - a relatively new threat actor - is targeting critical industries, including healthcare, with sophisticated double extortion attacks, said the Department of Health and Human Services in a threat alert.
See Also: How Overreliance on EDR is Failing Healthcare Providers
HHS Health Sector Cybersecurity Coordination Center on Friday said Trinity, which first surfaced this spring, exfiltrates victim's sensitive data before encrypting files with the ChaCha20 encryption algorithm.
ChaCha20 is a symmetric encryption algorithm that uses a 256-bit key for both encrypting and decrypting data, tagging files with the “.trinitylock” extension, HHS HC3 said.
Trinity, which operates a victim "support site" for decryption assistance and a leak site that lists its victims, also shares similarities with two other ransomware groups, 2023Lock and Venus. This suggests possible connections or collaborations among the threat actors, HHS HC3 said.
"The group's tactics and techniques are sophisticated, making them a significant threat to the U.S. healthcare and public health sector," the alert said.
The Health Information Sharing and Analysis Center has tracked ten Trinity victims since the group emerged around June 2024, affecting organizations in seven countries across several sectors including healthcare, retail, hospitality, professional services, financial services and education.
The gang tends to "go to great lengths to extort ransom by threatening to publicly expose victims' sensitive information," said Errol Weiss, chief security officer at Health-ISAC.
"We are aware of at least two victims in the healthcare sector. What that tells me is the Trinity gang is using a 'shotgun' approach - sending out batches of emails and scanning across the entire internet looking for a victim." he said. "I don't think they're targeting any company or sector specifically."
So far, the two known healthcare sector victims include one in the United States and the other in the United Kingdom, HHS HC3 said.
The HHS HC3 alert does not identify the healthcare sector organization by name, but as of Monday, Trinity's leak site claimed to have 330 gigabytes of data stolen from Rocky Mountain Gastroenterology in Colorado.
The healthcare provider on a notice posted on its website said it is currently experiencing technical issues. "Our staff has limited availability to answer phone calls. If you have an emergency, please dial 911. Procedures are still being performed as scheduled. If you are scheduled for a procedure today, please plan to arrive at the designated time."
Rocky Mountain Gastro did not immediately respond to Information Security Media Group's request for comment.
Trinity Details
Both the Trinity and Venus ransomware strains have similarities in their codebase and tactics, including their use of the ChaCha20 encryption algorithm and similar registry values and mutex naming conventions, HHS HC3 said.
"Researchers have also observed similarities between Trinity ransomware and the 2023Lock ransomware, which has been active since early 2024. The deep similarities between the two variants, like identical ransom notes and code, suggest that Trinity might also be a newer variant of the 2023Lock ransomware," HHS HC3 said.
"Upon installation, Trinity ransomware begins gathering system details such as the number of processors, available threads and connected drives to optimize its multi-threaded encryption operations," the alert said.
Next, Trinity ransomware will attempt to escalate its privileges by impersonating the token of a legitimate process. "This allows it to evade security protocols and protections. Additionally, Trinity ransomware performs network scanning and lateral movement, indicating its ability to spread and carry out attacks across multiple systems in a targeted network," HHS HC3 said.
Trinity demands a ransom payment in cryptocurrency in exchange for the decryption key. "Victims have 24 hours to contact the cybercriminals, and failure to do so will result in the stolen data being leaked or sold. Unfortunately, no known decryption tools are currently available for Trinity ransomware, leaving victims with few options," HHS HC3 said.
The Trinity ransomware gang has successfully compromised organizations through phishing attacks, exploiting unpatched systems and using stolen credentials, Weiss said.
"To prevent being a victim of Trinity ransomware, healthcare organizations should be focused on cybersecurity basics - staying up to date on patching, backing systems up and using multifactor authentication for remote access," he said.
Healthcare sector entities also should implement strong anti-phishing strategies, such as using email filters to block malicious attachments or remove hyperlinks, which can help reduce phishing threats, said Himaja Motheram, security researcher at security firm Censys.
"Keeping up with patch management and applying software updates, especially for internet-facing assets, is important for preventing exploitation," she said.
Beyond that, organizations should be following the minimum cybersecurity guidelines documented in the HHS cyber performance goals that were released in January, Weiss advised.
"As we've seen in the evolution of these ransomware gangs, it's probably only a matter of time before they target individual patients as well. It's an absolute nightmare for the healthcare provider and the patients who are impacted."
Historically, many ransomware groups operating in the ransomware-as-a-service model had an internal code of ethics that includes avoiding breaching some specific sectors, such as hospitals or critical infrastructure, thus avoiding great harm to society and consequently drawing less attention from law enforcement, said Leandro Fróes, senior threat research engineer at security firm Netskope.
This code has essentially gone out the window for most gangs.
“Now, it appears the healthcare industry is an acceptable target for most ransomware groups," he said.
"Everyone working in the healthcare industry should assume that they will be targeted with ransomware and take appropriate actions to lock down their systems."