Trinity Active

Also known as: 2023Lock,Venus variant
Healthcare sector targeting group
PDF Report Back to Groups
1
Total Victims
2024-05-01
First Seen
2026-03-06
Last Seen
0
Known TTPs
5.7d
Avg Delay
0
Negotiations
ONION URLS
txtggyng5euqkyzl2knbejwpm4rlq575jn2egqldu27osbqytrj6ruyd.onion
TOOLS
ChaCha20 AES
FILE EXTENSIONS
.trinitylock
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
Date Victim Name Country Sector Status
2026-03-06 Titan Inc Poland Insurance Published

No TTPs data

Trinity_rule_1 YARA-Rules/rules 
rule Trinity_ransomware_1 {
    meta:
        description = "Detects Trinity ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "a86ea46bdcb1d690281672e3de72297d2d58264d09708a8c7725b67743fd4fd4"

    strings:
        $h0 = { A4 9D DE A7 F3 46 19 2E 90 DE 77 04 92 09 6F }
        $s1 = "YOUR FILES" nocase
        $s2 = "BITCOIN" nocase
        $s3 = "DECRYPT" nocase
        $h4 = { 74 29 16 CE 64 89 7A 2B 5A 87 C6 C1 37 41 5E 32 B8 AB 5D 2B F }
        $s5 = "Do not modify" nocase
        $h6 = { 1C 2E 3D 9A 0F E7 F2 AE 3C A3 94 87 56 D9 A3 BC C2 23 F9 F }
        $s7 = "PAYMENT" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}
Trinity_rule_2 Florian Roth 
rule Trinity_ransomware_2 {
    meta:
        description = "Detects Trinity ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "a41d8eee07c4b325c981d3fd49aaa4b1f97ab1f2a1bfaff13186f662dafa30f0"

    strings:
        $h0 = { 44 85 4F D6 80 1C 12 74 }
        $h1 = { FE A4 54 BE EF AD 6E 4E 7E D8 72 18 5E 96 CA FF 8F A3 81 2D 7C 28 92 89 }
        $h2 = { 0E 76 BF C9 D0 ED A7 1B 2A A }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}
Trinity_rule_3 Florian Roth 
rule Trinity_ransomware_3 {
    meta:
        description = "Detects Trinity ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "f1a38a63d5ee417d9ad3213a8a633ea859d5ed4555d6435eb492a7f0071903d0"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $h1 = { 72 1D 20 E2 44 ED 2F EA 32 C8 18 81 B }
        $s2 = "Do not modify" nocase
        $s3 = "Do not modify" nocase
        $s4 = "::::" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}
TypeValueDescriptionCopy
md5 d8abff35be5164520d2ed99433fc8500 Malware sample hash observed in Trinity attacks
md5 9acbe4605917f278ad6c876e321cd92c Malware sample hash observed in Trinity attacks
tox 39385AB09B4F33C6863BFD848BC1BBEC7864F9341C5838DBA863B211416FD4B87CA454B4E2D4 Associated with Trinity ransomware
tox E2C23F7E6AE0E4B426B4E2A57BFE5CD82BB7AD8FD16921501824EAD9D7045DC9DDEB39593091 Tox messenger ID - Trinity campaign
tox D44EFD193C357690F3CDF2E7C134EBED15B09306A2AC1AE4CFCA3D8C0A97D6DD647DE8D6F80B Tox messenger ID observed in Trinity attacks
md5 495cccc9f2e9c655a705951ac682efb6 Infrastructure linked to Trinity
tox DCCEBF7490E0704BEED4C8BFAA6AD1F9169FEEBC4CA98A93E5DE620DFFD5AE614A64BEB92DFE Infrastructure linked to Trinity
ip 153.253.245.147 Infrastructure linked to Trinity
ip 89.254.16.35 Infrastructure linked to Trinity
sha256 258e197ecbd78744bf6405af527e70356a09340ddc3ae758d9ddf7fd99e2f9c5 Infrastructure linked to Trinity
sha256 3bbc6ceb1ce9f1fa7ea4af1568d11e80678114902e579adce90c30a2d06786e1 Associated with Trinity ransomware
btc bc1qc2nyayu438c1jsiaisojm1m13t1isig8o0h7yw Associated with Trinity ransomware
tox DAD6B1D8EAB6A87ABFD9B347CCF011E6DA4DDA3E03FD005548B50214B4486DCBDF883F6DB9A2 Tox messenger ID observed in Trinity attacks

No ransom notes