Key Takeaways
- CRIL (Cyble Research and Intelligence Labs) has discovered a new ransomware variant named Trinity. This variant employs a double extortion technique to target victims.
- The Threat Actors (TA) behind Trinity ransomware utilize both victim support and data leak sites.
- CRIL’s analysis unveiled that a ransomware called “2023Lock” shares a similar ransom note format and underlying codebase with Trinity, indicating it could be a new variant of 2023Lock.
- CRIL also observed similarities between Trinity and Venus ransomware, such as registry value usage and mutex naming conventions.
- This suggests a potential connection or common threat actor behind the Trinity and Venus ransomware. Venus ransomware, operational since 2022, has conducted widespread attacks globally in previous incidents.
- Trinity ransomware employs the ChaCha20 algorithm for encryption. It distributes ransom notes in both text and .hta formats, adjusts the desktop wallpaper via a registry modification, and tags encrypted files with a “.trinitylock” extension.
Overview
Recently, CRIL identified a new ransomware variant named Trinity. It employs a double extortion strategy to target its victims. The group seems to exfiltrate the victim’s data before initiating encryption. The perpetrators behind this ransomware utilize both a victim support site and a leak site. The victim support site allows users to upload a sample file for decryption. The figure below shows the victim support site.
Figure 1 – Trinity Victim Support Site
However, the leak site associated with this ransomware currently does not display any victims. The figure below shows the leak site.
Figure 2 – Leak Site
During our investigations, we found a ransomware named 2023Lock, which utilizes the same ransom note used by the Trinity ransomware. The 2023Lock ransomware has been active since early 2024. We also observed similarities in the code blocks of both ransomware, as shown in the figure below. This suggests that Trinity ransomware is actually a new variant of 2023Lock ransomware.
Figure 3 – 2023Lock vs Trinity Ransomware
We’ve also noticed code similarities between Trinity and Venus ransomware. The shared code elements indicate a possible connection, suggesting that the same threat actor may be responsible for both ransomware variants. The Venus ransomware emerged around mid-August 2022, encrypting victims globally.
The figures below illustrate the code similarities between files associated with both the Venus and Trinity ransomware variants, notably in their use of identical registry values such as secpbGOOD and pbsecGOOD.
Figure 4 – Using Same Registry Values
In the figure below, the ransomware can be seen employing a consistent format for naming mutexes and leveraging the mutex name for both file names and registry data.
Figure 5 – Using the Same Convention for Naming the Mutex
Technical Analysis
Upon execution, the ransomware attempts to find the ransom note stored in the binary’s resource. It uses FindResourceW() to locate the resource and SizeofResource() to determine its size. Subsequently, LoadResource() is utilized to load the resource into memory, followed by locking it.
Figure 6 – Loading Ransom Note
If the ransomware binary fails to load the ransom note or throws an error while processing, it terminates itself by calling ExitProcess(), which terminates the current process with an exit code of 1.
Figure 7 – Terminating Itself
Now, the ransomware resolves the functions during runtime. It acquires handles for DLLs using GetModuleHandle(), enabling access to loaded modules in memory. These handles are then utilized with GetProcAddress() to access particular functions within those DLLs by providing the module handle and function name as parameters.
This ransomware resolves the following functions of Ntdll.dll:
- RtlInitUnicodeString
- NtCreateFile
- NtWriteFile
- NtReadFile
- NtQueryDirectoryFile
- NtOpenFile
- NtClose
- NtSetInformationFile
- NtRemoveIoCompletion
- NtSetIoCompletion
- NtCreateIoCompletion
- NtQuerySystemInformation
- SetSecurityInfo
- NtQuerySystemInformation
- NtQueryObject
Figure 8 – Dynamically Resolving Functions
Next, the ransomware creates a COM object and sets security settings (CoSetProxyBlanket) to define the security context under which the COM object will execute. It sets the dwAuthnSvc flag of CoSetProxyBlanket() to 0xA (RPC_C_AUTHN_WINNT), which is utilized to set the permissions for the COM object.
Figure 9 – Creating COM Object
Following this, the ransomware initiates the querying of WMI Data. It utilizes a WMI query to retrieve system shadow copy-related information. Upon iterating through the results, it gathers details about each shadow copy, including its ID. For every retrieved shadow copy ID, the function executes further operations, constructing a WMI object path and engaging with the COM object to undertake actions associated with removing shadow copies.
Figure 10 – Retrieving Information Related to Shadow Copies
Subsequently, the ransomware verifies whether it is already running in the system by calling OpenMutexA() to ascertain the presence of a mutex named “48065934119990121.” If such a mutex exists, the ransomware proceeds to terminate itself. Conversely, if the mutex does not exist, the ransomware proceeds to create a new one named “48065934119990121” using CreateMutexA(), as shown below.
Figure 11 – Mutex Creation
After that, it verifies the presence of specific privileges (mentioned below) in the access token of the current process, attempting to modify the token privileges accordingly if they exist. Afterward, it returns a Boolean value indicating the success of the privilege adjustment. These privileges empower the ransomware to execute its malicious activities effectively, including encrypting files, evading detection, or disabling security mechanisms.
- SeDebugPrivilege
- SeTcbPrivilege
- SeTakeOwnershipPrivilege
- SeSecurityPrivilege
Figure 12 – Altering Token Privileges
Following this, it proceeds to access the registry key HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion using the function RegOpenKeyExW(). It then retrieves the registry values named “pbsecGOOD” and “secpbGOOD” from the registry key by employing RegQueryValueExA(). In case these entries do not exist, it proceeds to create two registry keys named “pbsecGOOD” and “secpbGOOD.”
Figure 13 – Creating Registry Key
The ransomware binary gathers system information through GetSystemInfo(), focusing on the processor count. Subsequently, it establishes a thread pool by iteratively invoking CreateThread(). This results in the creation of a total of (2 * Number of Processors) threads. Each thread is tasked with executing functions responsible for encrypting files.
Figure 14 – Usage of Multithreading
Then, the ransomware starts enumerating the drives. It starts by retrieving information about the logical drives in the system using GetLogicalDrives(). It then iterates through each drive letter, from ‘A’ to ‘Z’, checking if each drive exists. If it does, it prepares to gather information about the drive.
For each existing drive, it constructs a path in the format “??X:”, where ‘X’ is the current drive letter. It then gets the drive type using GetDriveTypeW(). If the drive type is either a fixed, removable, or network drive, it proceeds to gather information about the drive’s disk space using GetDiskFreeSpaceW().
Figure 15 – Enumerating Drives
Afterward, the ransomware attempts to impersonate a token of another process. This technique is usually utilized by malware to escalate privileges and bypass access controls. It creates a snapshot of the running processes using CreateToolhelp32Snapshot() and iterates through the processes using Process32FirstW() and Process32NextW(). For each process, it opens the process and checks its token statistics. If the process has the same token statistics as the current process, it opens the process again, retrieves its token, and duplicates it. The figure below shows the token impersonation.
Figure 16 – Impersonating Token
Next, it starts by enumerating network resources via WNetOpenEnumW(). Upon locating a network resource, it proceeds to iterate through it with WNetEnumResourceW() for encryption. It also initializes Winsock, creates sockets, threads, and IO completion ports, retrieves host information, and performs various network-related tasks for lateral movement. The figure below shows the code for scanning IPs on a network.
Figure 17 – Lateral Movement
This ransomware encrypts the files using ChaCha20, a symmetric encryption algorithm that utilizes a 256-bit key for both encrypting and decrypting data. The figure below illustrates the constants and quarter rounds utilized in ChaCha20.
Figure 18 – ChaCha20 Encryption Algorithm
After encryption, the ransomware appends the extension “.trinitylock” to the filenames of the encrypted files. The figure below provides a visual representation of the encrypted files.
Figure 19 – Encrypted Files
Following this, it drops a ransom note named “README.txt” in the “C:” directory. This note contains instructions provided by the threat actor (TA) and their onion site for communication. The figure below displays the ransom note.
Figure 20 – Trinity Ransom Note
Additionally, it drops a ransom note in the “C:Windows” directory as a “.hta” file named “48065934119990121.hta“, where the mutex name serves as the file name. Subsequently, it initiates the execution using a Windows shell to automatically display the ransom note to the victim. The figure below illustrates the .hta ransom note.
Figure 21 – .hta Ransom Note
Furthermore, an image file named “48065934119990121.jpg” is dropped in the “C:Windows” directory for using it as a desktop background. The file name corresponds to the mutex name. Moreover, a registry key is established via RegSetValueExW() at HKCUControl PanelDesktopWallpaper to facilitate the alteration of the desktop wallpaper. The figure below illustrates the registry entry.
Figure 22 – Registry Entry to set desktop Wallpaper
Conclusion
Multiple ransomware variants have adopted a double extortion strategy, escalating ransomware tactics. By threatening to release sensitive data in addition to encrypting files, threat actors exponentially increase the pressure on victims to pay ransom demands.
Furthermore, the identification of Trinity’s similarities with other ransomware variants, such as 2023Lock and Venus, suggests a potential link or collaboration among threat actor groups. This collaboration could lead to the exchange of techniques, tools, and infrastructure, amplifying the scale and sophistication of future ransomware campaigns.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Do not open untrusted links and email attachments without first verifying their authenticity.
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
Users Should Take the Following Steps After a Ransomware Attack
- Disconnect infected devices on the compromised network.
- Disconnect external storage devices if connected.
- Inspect system logs to check for suspicious events.
Impact of Ransomware
- Loss of valuable data.
- Loss of the organization’s reputation and integrity.
- Loss of the organization’s sensitive business information.
- Disruption in organization operation.
- Financial loss.
MITRE ATT&CK® Techniques
| Tactic | Technique | Procedure |
| Execution | T1204.002 (User Execution) | Malicious file. |
| Defense Evasion | T1134 (Access Token Manipulation) | Impersonates Tokens |
| Defense Evasion | T1140 (Deobfuscate/Decode Files or Information) | The binary contains encrypted strings. |
| Discovery | T1083 (File and Directory Discovery) | Ransomware enumerates folders for file encryption. |
| Lateral Movement | T1570 (Lateral Tool Transfer) | Enumerates network shares and scans the network. |
| Impact | T1486 (Data Encrypted for Impact) | Ransomware encrypts the data for extortion. |
| Impact | T1491.001 (Defacement: Internal Defacement) | Changes desktop wallpaper. |
| Impact | T1490 (Inhibit System Recovery) | Removes Shadow copies. |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 949c438e4ed541877dce02b38bf593ad 4c58d2d624d9bdf6b14a6f8563788785074947a7 36696ba25bdc8df0612b638430a70e5ff6c5f9e75517ad401727be03b26d8ec4 |
MD5 SHA1 SHA256 |
Trinity Ransomware |
YARA Rule
rule Trinity{
meta:
author = "Cyble Research and Intelligence Labs"
description = "Detects Trinity Ransomware"
date = "2024-05-10"
os = "Windows"
strings:
$a1 = "pbsecGOOD" ascii fullword
$a2 = "secpbGOOD" ascii fullword
$b1 = "Wallaper" fullword ascii
$b2 = "wehaveyourdata@onionmail.org" fullword nocase ascii wide
condition:
all of them
} References
- https://www.hhs.gov/sites/default/files/venus-ransomware-analyst-note.pdf
- https://www.broadcom.com/support/security-center/protection-bulletin/2023lock-ransomware
The post In the Shadow of Venus: Trinity Ransomware’s Covert Ties appeared first on Cyble.