05-13-2024, 04:55 PM
News Researchers Observe Potential Ties between Trinity and Venus Ransomware Strains
<p><img width="1024" height="1024" src="https://thecyberexpress.com/wp-content/uploads/Trinity-ransomware-Venus-ransomware-CYBLE.webp" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="Trinity ransomware Venus ransomware CYBLE" decoding="async" srcset="https://thecyberexpress.com/wp-content/uploads/Trinity-ransomware-Venus-ransomware-CYBLE.webp 1024w, https://thecyberexpress.com/wp-content/u...ebp?crop=1 300w, https://thecyberexpress.com/wp-content/u...ebp?crop=1 150w, https://thecyberexpress.com/wp-content/u...8x768.webp 768w, https://thecyberexpress.com/wp-content/u...0x600.webp 600w, https://thecyberexpress.com/wp-content/u...ebp?crop=1 100w, https://thecyberexpress.com/wp-content/u...ebp?crop=1 96w, https://thecyberexpress.com/wp-content/u...ebp?crop=1 75w, https://thecyberexpress.com/wp-content/u...ebp?crop=1 350w, https://thecyberexpress.com/wp-content/u...0x750.webp 750w" sizes="(max-width: 1024px) 100vw, 1024px" /></p>Cybersecurity researchers at Cyble's Research and Intelligence Labs (CRIL) have uncovered a new ransomware variant called Trinity, which employs a double extortion strategy and has potential links to the previously identified Venus ransomware.
This article explores the findings about the Trinity ransomware strain as well as the noted similarities between the Trinity and Venus ransomware strains.
<h3>Uncovering Tactical and Technical Details of Trinity Ransomware</h3>
CRIL researchers <a href="https://cyble.com/blog/in-the-shadow-of-venus-trinity-ransomwares-covert-ties/" target="_blank" rel="nofollow noopener">observed a new ransomware variant</a> called Trinity, that employs common double extortion tactics such as exfiltrating data from victim's systems before encrypting them, and the intent to use both a support and leak site in their operations.
The support site allows victims to upload sample files less than 2MB in size for decryption, while the leak site though currently empty, threatens to expose victim <a class="wpil_keyword_link" title="data" href="https://thecyberexpress.com/what-is-data/" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="3915">data</a>.
[caption id="attachment_68024" align="alignnone" width="940"]<img class="wp-image-68024 size-full" src="https://thecyberexpress.com/wp-content/uploads/Trinity-Ransomware.webp" alt="Trinity Ransomware" width="940" height="457" /> Source: Cyble Blog[/caption]
Upon initial stages of the investigation, researchers observed similarities between the Trinity <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-is-ransomware-how-it-work/" target="_blank" rel="noopener" title="ransomware" data-wpil-keyword-link="linked" data-wpil-monitor-id="3917">ransomware</a> and the 2023Lock ransomware which has been active since early 2024. The deep similarities between the two variants such as identical ransom notes, and code suggest that Trinity might be a newer variant of the 2023Lock ransomware.
Researchers noted an intricate execution process in the ransomware's operations such as a search for a ransom note within its binary file and immediately terminates if the file is unavailable. The ransomware collects system information such as the processor count, the pool of threads, and existing drives to prepare its multi-threaded encryption process.
The ransomware then attempts <a href="https://thecyberexpress.com/ibm-pccom-cve-2024-25029-vulnerability/" target="_blank" rel="noopener">privilege escalation</a> by impersonating a legitimate process's token for its own usage, enabling the ransomware to bypass security measures. The ransomware deploys network enumeration activity along with lateral movement, demonstrating broad attack capability.
[caption id="attachment_68025" align="alignnone" width="547"]<img class="wp-image-68025 size-full" src="https://thecyberexpress.com/wp-content/uploads/Trinity-ransomware-Venus-ransomware.webp" alt="Trinity ransomware Venus ransomware" width="547" height="284" /> Source: Cyble Blog[/caption]
The Trinity variant employs the ChaCha20 algorithm to encrypt of victim files. After encryption, filenames are appended with “.trinitylock,” while ransom notes are left in both text and .hta formats in. The ransomware also modifies the desktop wallpaper to the ransomware note and uses a specific registry key to facilitate this change.
<div class="mceTemp"></div>
<h3>Similarities Between Trinity Ransomware and Venus Ransomware</h3>
The connections between Trinity and Venus go beyond mere similarities in their ransom notes and registry usage.
Venus, an established ransomware operation with a global reach, emerged around mid-2022. The similarities between Venus and Trinity extend to their usage of identical registry values and consistency in their mutex naming conventions and code base.
Additionally, the ransom notes used by both ransomware variants exhibit a similar format. The shared tactics and techniques indicate a possible collaboration between the two groups. This collaboration could lead to the exchange of techniques, tools, and infrastructure, amplifying the scale and sophistication of future ransomware campaigns.
CRIL researchers have <a href="https://cyble.com/blog/in-the-shadow-of-venus-trinity-ransomwares-covert-ties/" target="_blank" rel="nofollow noopener">advised organizations</a> to stay vigilant and implement robust cybersecurity measures to protect against these evolving threats.
<span class="ui-provider ee bqk bql bqm bqn bqo bqp bqq bqr bqs bqt bqu bqv bqw bqx bqy bqz bra brb brc brd bre brf brg brh bri brj brk brl brm brn bro brp brq brr" dir="ltr" style="color: #ff0000;"><i>Media Disclaimer: This <a href="https://thecyberexpress.com/security-researchers-report-vulnerability-in-oracle-cloud-infrastructure/" target="_blank" rel="noopener" data-wpil-monitor-id="3040">report is based on internal and external research</a> obtained through various means. The <a href="https://thecyberexpress.com/cisco-duo-data-breach-exposes-mfa-information/" target="_blank" rel="noopener" data-wpil-monitor-id="3052">information provided</a> is for reference purposes only, and users bear full responsibility for their reliance on it. </i><a class="fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" style="color: #ff0000;" title="https://thecyberexpress.com/" href="https://thecyberexpress.com/" target="_blank" rel="noreferrer noopener" aria-label="Link The Cyber Express"><i>The Cyber Express</i></a><i> assumes no liability for the accuracy or consequences of using this information.</i></span>
https://thecyberexpress.com/researchers-...are-venus/
<p><img width="1024" height="1024" src="https://thecyberexpress.com/wp-content/uploads/Trinity-ransomware-Venus-ransomware-CYBLE.webp" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="Trinity ransomware Venus ransomware CYBLE" decoding="async" srcset="https://thecyberexpress.com/wp-content/uploads/Trinity-ransomware-Venus-ransomware-CYBLE.webp 1024w, https://thecyberexpress.com/wp-content/u...ebp?crop=1 300w, https://thecyberexpress.com/wp-content/u...ebp?crop=1 150w, https://thecyberexpress.com/wp-content/u...8x768.webp 768w, https://thecyberexpress.com/wp-content/u...0x600.webp 600w, https://thecyberexpress.com/wp-content/u...ebp?crop=1 100w, https://thecyberexpress.com/wp-content/u...ebp?crop=1 96w, https://thecyberexpress.com/wp-content/u...ebp?crop=1 75w, https://thecyberexpress.com/wp-content/u...ebp?crop=1 350w, https://thecyberexpress.com/wp-content/u...0x750.webp 750w" sizes="(max-width: 1024px) 100vw, 1024px" /></p>Cybersecurity researchers at Cyble's Research and Intelligence Labs (CRIL) have uncovered a new ransomware variant called Trinity, which employs a double extortion strategy and has potential links to the previously identified Venus ransomware.
This article explores the findings about the Trinity ransomware strain as well as the noted similarities between the Trinity and Venus ransomware strains.
<h3>Uncovering Tactical and Technical Details of Trinity Ransomware</h3>
CRIL researchers <a href="https://cyble.com/blog/in-the-shadow-of-venus-trinity-ransomwares-covert-ties/" target="_blank" rel="nofollow noopener">observed a new ransomware variant</a> called Trinity, that employs common double extortion tactics such as exfiltrating data from victim's systems before encrypting them, and the intent to use both a support and leak site in their operations.
The support site allows victims to upload sample files less than 2MB in size for decryption, while the leak site though currently empty, threatens to expose victim <a class="wpil_keyword_link" title="data" href="https://thecyberexpress.com/what-is-data/" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="3915">data</a>.
[caption id="attachment_68024" align="alignnone" width="940"]<img class="wp-image-68024 size-full" src="https://thecyberexpress.com/wp-content/uploads/Trinity-Ransomware.webp" alt="Trinity Ransomware" width="940" height="457" /> Source: Cyble Blog[/caption]
Upon initial stages of the investigation, researchers observed similarities between the Trinity <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-is-ransomware-how-it-work/" target="_blank" rel="noopener" title="ransomware" data-wpil-keyword-link="linked" data-wpil-monitor-id="3917">ransomware</a> and the 2023Lock ransomware which has been active since early 2024. The deep similarities between the two variants such as identical ransom notes, and code suggest that Trinity might be a newer variant of the 2023Lock ransomware.
Researchers noted an intricate execution process in the ransomware's operations such as a search for a ransom note within its binary file and immediately terminates if the file is unavailable. The ransomware collects system information such as the processor count, the pool of threads, and existing drives to prepare its multi-threaded encryption process.
The ransomware then attempts <a href="https://thecyberexpress.com/ibm-pccom-cve-2024-25029-vulnerability/" target="_blank" rel="noopener">privilege escalation</a> by impersonating a legitimate process's token for its own usage, enabling the ransomware to bypass security measures. The ransomware deploys network enumeration activity along with lateral movement, demonstrating broad attack capability.
[caption id="attachment_68025" align="alignnone" width="547"]<img class="wp-image-68025 size-full" src="https://thecyberexpress.com/wp-content/uploads/Trinity-ransomware-Venus-ransomware.webp" alt="Trinity ransomware Venus ransomware" width="547" height="284" /> Source: Cyble Blog[/caption]
The Trinity variant employs the ChaCha20 algorithm to encrypt of victim files. After encryption, filenames are appended with “.trinitylock,” while ransom notes are left in both text and .hta formats in. The ransomware also modifies the desktop wallpaper to the ransomware note and uses a specific registry key to facilitate this change.
<div class="mceTemp"></div>
<h3>Similarities Between Trinity Ransomware and Venus Ransomware</h3>
The connections between Trinity and Venus go beyond mere similarities in their ransom notes and registry usage.
Venus, an established ransomware operation with a global reach, emerged around mid-2022. The similarities between Venus and Trinity extend to their usage of identical registry values and consistency in their mutex naming conventions and code base.
Additionally, the ransom notes used by both ransomware variants exhibit a similar format. The shared tactics and techniques indicate a possible collaboration between the two groups. This collaboration could lead to the exchange of techniques, tools, and infrastructure, amplifying the scale and sophistication of future ransomware campaigns.
CRIL researchers have <a href="https://cyble.com/blog/in-the-shadow-of-venus-trinity-ransomwares-covert-ties/" target="_blank" rel="nofollow noopener">advised organizations</a> to stay vigilant and implement robust cybersecurity measures to protect against these evolving threats.
<span class="ui-provider ee bqk bql bqm bqn bqo bqp bqq bqr bqs bqt bqu bqv bqw bqx bqy bqz bra brb brc brd bre brf brg brh bri brj brk brl brm brn bro brp brq brr" dir="ltr" style="color: #ff0000;"><i>Media Disclaimer: This <a href="https://thecyberexpress.com/security-researchers-report-vulnerability-in-oracle-cloud-infrastructure/" target="_blank" rel="noopener" data-wpil-monitor-id="3040">report is based on internal and external research</a> obtained through various means. The <a href="https://thecyberexpress.com/cisco-duo-data-breach-exposes-mfa-information/" target="_blank" rel="noopener" data-wpil-monitor-id="3052">information provided</a> is for reference purposes only, and users bear full responsibility for their reliance on it. </i><a class="fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" style="color: #ff0000;" title="https://thecyberexpress.com/" href="https://thecyberexpress.com/" target="_blank" rel="noreferrer noopener" aria-label="Link The Cyber Express"><i>The Cyber Express</i></a><i> assumes no liability for the accuracy or consequences of using this information.</i></span>
https://thecyberexpress.com/researchers-...are-venus/