HHS warns about Trinity ransomware

The Health Sector Cybersecurity Coordination Center (HC3) released a profile of a recent threat actor emerging in the U.S.

What happened 

In May 2024, a cyber threat called Trinity began targeting healthcare providers. Trinity acts by infiltrating through methods like phishing emails, malicious websites, and exploiting vulnerabilities in unpatched software. After gaining access, Trinity gathers system information, escalates privileges by impersonating legitimate processes, and spreads laterally across the network. It then employs double extortion strategies by first exfiltrating sensitive data and then encrypting files using the ChaCha20 encryption algorithm, adding the “.trinitylock” extension to encrypted files. 

By October 2024, Trinity had attacked at least seven organizations, including healthcare providers in the U.S. and the U.K. One of its U.S. victims, a gastroenterology provider had 330GB of sensitive data stolen. Trinity also operates a victim support site for limited decryption assistance and a data leak site to pressure victims by threatening to publish their stolen data. 

In the know: What are threat actors?

Threat actors are individuals or groups that intentionally cause harm to organizations or systems, usually through cyberattacks. They aim to steal data, disrupt services, or demand ransom by exploiting security weaknesses. These actors can be criminals, hackers, or even state sponsored groups.

What was said 

The HC3 report provides, “There has been a total of seven Trinity ransomware victims identified to date. Of these, two victims have been identified as healthcare providers, one based in the United Kingdom, and the other a United States-based gastroenterology services provider…”

Why it matters 

The attacks by Trinity are linked to other threat actors through their tactics and codebases. These similarities suggest that Trinity may either collaborate with or be a variant of the 2023Lock ransomware which has been active since early 2024. Its progression into sophisticated attacks and potential affiliations with other ransomware strains make it an evolving threat to industries like healthcare. 

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

What is PHI? 

Protected health information refers to any health related data that can identify an individual. 

What is the role of the HC3?

The HC3 helps protect the healthcare sector from cyber threats by providing guidance, resources, and threat intelligence. 

Is the payment of a ransom advisable? 

Payment of a ransom is generally not advisable as it funds and encourages further attacks.