The US Department of Health and Human Services (HHS) is raising the alarm on Trinity ransomware attacks targeting healthcare and public health organizations.

First seen in May 2024, Trinity is a fairly new ransomware family that adds the ‘.trinitylock’ extension to the encrypted files and which shares similarities with the 2023Lock and Venus ransomware, HHS notes in its alert (PDF).

The same as other ransomware groups out there, Trinity’s operators list their victims on a leak site and use another site to interact with victims seeking assistance with the decryption process.

Considered a sophisticated threat actor, the Trinity ransomware gang is believed to represent a major risk to the healthcare and public health sector. At least one healthcare organization in the US is known to have fallen victim to the group.

For initial access, the threat actor relies on phishing, vulnerable software, and malicious websites. Next, the group performs reconnaissance, network scanning, and lateral movement, and attempts to elevate privileges within the environment by impersonating the token of a legitimate process.

Before starting the encryption process, the Trinity ransomware group also exfiltrates data from the victims’ systems to leverage it for extortion purposes.

“It encrypts the victim’s files using a robust encryption algorithm, rendering them unusable without the correct decryption key. The ransomware typically appends the ‘.trinitylock’ file extension to the affected files, making it clear which ones have been compromised,” HHS notes.

After the encryption process has been completed, the ransomware deploys ransom notes in text and .hta formats and modifies the desktop wallpaper.

“The ransom note is often placed on the desktop or within directories containing the encrypted files. This note contains instructions provided by the threat actor, their onion site URL, and the email address for communication,” HHS says.

The agency also notes that Trinity has similarities with the 2023Lock and Venus ransomware families, such as the use of the ChaCha20 encryption algorithm, similar mutex naming and registry values, and identical ransom notes. Deep similarities suggest that Trinity might be the successor of 2023Lock.

“Unfortunately, no known decryption tools are currently available for Trinity ransomware, leaving victims with few options. Some victims, however, have had limited success by using data recovery tools or consulting cybersecurity professionals to attempt file restoration,” HHS says.

The Trinity ransomware group’s Tor-based leak site currently lists five victims, including Rocky Mountain Gastroenterology, from which it claims to have stolen 330 gigabytes of data. Overall, the gang is believed to have compromised 10 organizations.

Related: UMC Health System Diverts Patients Following Ransomware Attack

Related: UK Data Centers Gain Critical Infrastructure Status, Raising Green Belt Controversy

Related: Three Ways to Defeat Ransomware

Related: Accenture Confirms Data Stolen in Ransomware Attack