Trinity Strikes: The Rise of a New Ransomware in the Healthcare Sector
Medical institutions in the United States have fallen victim to a new ransomware known as Trinity. According to the U.S. Department of Health and Human Services, the tactics and methods employed by the group behind Trinity pose a “significant threat” to the nation’s healthcare and public health sectors. Experts noted that the ransomware was first detected in May 2024.
Reportedly, Trinity has harmed at least seven organizations, two of which operate in the healthcare sector. One of the victims is an American provider of gastroenterology services, from which 330 GB of data was stolen. The institution, which had previously posted a notice about technical issues and limited access to its phone systems, has yet to be identified but is mentioned on Trinity’s leak site. Another case was recorded in the United Kingdom. Additionally, researchers reported an incident involving a group of dentists from New Jersey.
Experts have highlighted the similarities between Trinity and two other ransomware variants—2023Lock and Venus—indicating potential collaboration between cybercriminal groups. Like other ransomware, Trinity exploits known vulnerabilities to steal data and extort its victims.
Once installed, the program gathers system data, including information about processors and connected drives, before scanning the network for vulnerabilities to further propagate. Encrypted files receive the extension “trinitylock,” after which a ransom note appears on the desktop or in the folders containing the encrypted data.
The malware also attempts to escalate its privileges by mimicking legitimate processes, allowing it to bypass security measures. Trinity scans the network and moves through it, infecting other systems.
The ransom note contains instructions and an email contact address. Victims are given 24 hours to pay the ransom in cryptocurrency, or their data will be published. Experts have pointed out that, at present, there are no methods available to decrypt the data. The ransomware operators use two websites—one to assist those who have paid the ransom and another to showcase stolen data as a means of pressuring victims.
It has also been established that Trinity and Venus share similarities in their codebase and encryption methods, suggesting that Trinity may be a new version of 2023Lock. Similar conclusions have been drawn by other researchers, who believe Trinity might be a rebranding of Venus and 2023Lock.
To counter this threat, specialists recommend network segmentation, the use of backups, and regular software updates.
