In the Shadow of Venus: Trinity Ransomware’s Covert Ties 

Key Takeaways

• CRIL (Cyble Research and Intelligence Labs) has discovered a new ransomware variant named Trinity. This variant employs a double extortion technique to target victims. 
• The Threat Actors (TA) behind Trinity ransomware utilize both victim support and data leak sites.  
• CRIL’s analysis unveiled that a ransomware called “2023Lock” shares a similar ransom note format and underlying codebase with Trinity, indicating it could be a new variant of 2023Lock. 
• CRIL also observed similarities between Trinity and Venus ransomware, such as registry value usage and mutex naming conventions.  
• This suggests a potential connection or common threat actor behind the Trinity and Venus ransomware. Venus ransomware, operational since 2022, has conducted widespread attacks globally in previous incidents. 
• Trinity ransomware employs the ChaCha20 algorithm for encryption. It distributes ransom notes in both text and .hta formats, adjusts the desktop wallpaper via a registry modification, and tags encrypted files with a “.trinitylock” extension. 

Overview

Recently, CRIL identified a new ransomware variant named Trinity. It employs a double extortion strategy to target its victims. The group seems to exfiltrate the victim’s data before initiating encryption. The perpetrators behind this ransomware utilize both a victim support site and a leak site. The victim support site allows users to upload a sample file for decryption. The figure below shows the victim support site.  

Figure 1 – Trinity Victim Support Site 

However, the leak site associated with this ransomware currently does not display any victims. The figure below shows the leak site. 

Figure 2 – Leak Site 

During our investigations, we found a ransomware named 2023Lock, which utilizes the same ransom note used by the Trinity ransomware. The 2023Lock ransomware has been active since early 2024. We also observed similarities in the code blocks of both ransomware, as shown in the figure below. This suggests that Trinity ransomware is actually a new variant of 2023Lock ransomware.  

Figure 3 – 2023Lock vs Trinity Ransomware 

We’ve also noticed code similarities between Trinity and Venus ransomware. The shared code elements indicate a possible connection, suggesting that the same threat actor may be responsible for both ransomware variants. The Venus ransomware emerged around mid-August 2022, encrypting victims globally. 

The figures below illustrate the code similarities between files associated with both the Venus and Trinity ransomware variants, notably in their use of identical registry values such as secpbGOOD and pbsecGOOD. 

Figure 4 – Using Same Registry Values 

In the figure below, the ransomware can be seen employing a consistent format for naming mutexes and leveraging the mutex name for both file names and registry data. 

Figure 5 – Using the Same Convention for Naming the Mutex 

Technical Analysis 

Upon execution, the ransomware attempts to find the ransom note stored in the binary’s resource. It uses FindResourceW() to locate the resource and SizeofResource() to determine its size. Subsequently, LoadResource() is utilized to load the resource into memory, followed by locking it.  

Figure 6 – Loading Ransom Note 

If the ransomware binary fails to load the ransom note or throws an error while processing, it terminates itself by calling ExitProcess(), which terminates the current process with an exit code of 1.  

Figure 7 – Terminating Itself 

Now, the ransomware resolves the functions during runtime.  It acquires handles for DLLs using GetModuleHandle(), enabling access to loaded modules in memory. These handles are then utilized with GetProcAddress() to access particular functions within those DLLs by providing the module handle and function name as parameters. 

This ransomware resolves the following functions of Ntdll.dll: 

• RtlInitUnicodeString 
• NtCreateFile 
• NtWriteFile 
• NtReadFile 
• NtQueryDirectoryFile 
• NtOpenFile 
• NtClose 
• NtSetInformationFile 
• NtRemoveIoCompletion 
• NtSetIoCompletion 
• NtCreateIoCompletion 
• NtQuerySystemInformation 
• SetSecurityInfo 
• NtQuerySystemInformation 
• NtQueryObject 

Figure 8 – Dynamically Resolving Functions 

Next, the ransomware creates a COM object and sets security settings (CoSetProxyBlanket) to define the security context under which the COM object will execute. It sets the dwAuthnSvc flag of CoSetProxyBlanket() to  0xA (RPC_C_AUTHN_WINNT), which is utilized to set the permissions for the COM object.  

Figure 9 – Creating COM Object 

Following this, the ransomware initiates the querying of WMI Data. It utilizes a WMI query to retrieve system shadow copy-related information. Upon iterating through the results, it gathers details about each shadow copy, including its ID. For every retrieved shadow copy ID, the function executes further operations, constructing a WMI object path and engaging with the COM object to undertake actions associated with removing shadow copies. 

Figure 10 – Retrieving Information Related to Shadow Copies 

Subsequently, the ransomware verifies whether it is already running in the system by calling OpenMutexA() to ascertain the presence of a mutex named “48065934119990121.” If such a mutex exists, the ransomware proceeds to terminate itself. Conversely, if the mutex does not exist, the ransomware proceeds to create a new one named “48065934119990121” using CreateMutexA(), as shown below. 

Figure 11 – Mutex Creation 

After that, it verifies the presence of specific privileges (mentioned below) in the access token of the current process, attempting to modify the token privileges accordingly if they exist. Afterward, it returns a Boolean value indicating the success of the privilege adjustment. These privileges empower the ransomware to execute its malicious activities effectively, including encrypting files, evading detection, or disabling security mechanisms. 

• SeDebugPrivilege 
• SeTcbPrivilege 
• SeTakeOwnershipPrivilege 
• SeSecurityPrivilege 

Figure 12 – Altering Token Privileges 

Following this, it proceeds to access the registry key HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion using the function RegOpenKeyExW(). It then retrieves the registry values named “pbsecGOOD” and “secpbGOOD” from the registry key by employing RegQueryValueExA(). In case these entries do not exist, it proceeds to create two registry keys named “pbsecGOOD” and “secpbGOOD.” 

Figure 13 – Creating Registry Key 

The ransomware binary gathers system information through GetSystemInfo(), focusing on the processor count. Subsequently, it establishes a thread pool by iteratively invoking CreateThread(). This results in the creation of a total of (2 * Number of Processors) threads. Each thread is tasked with executing functions responsible for encrypting files.  

Figure 14 – Usage of Multithreading 

Then, the ransomware starts enumerating the drives. It starts by retrieving information about the logical drives in the system using GetLogicalDrives(). It then iterates through each drive letter, from ‘A’ to ‘Z’, checking if each drive exists. If it does, it prepares to gather information about the drive. 

For each existing drive, it constructs a path in the format “??X:”, where ‘X’ is the current drive letter. It then gets the drive type using GetDriveTypeW(). If the drive type is either a fixed, removable, or network drive, it proceeds to gather information about the drive’s disk space using GetDiskFreeSpaceW(). 

Figure 15 – Enumerating Drives 

Afterward, the ransomware attempts to impersonate a token of another process. This technique is usually utilized by malware to escalate privileges and bypass access controls. It creates a snapshot of the running processes using CreateToolhelp32Snapshot() and iterates through the processes using Process32FirstW() and Process32NextW(). For each process, it opens the process and checks its token statistics. If the process has the same token statistics as the current process, it opens the process again, retrieves its token, and duplicates it. The figure below shows the token impersonation.  

Figure 16 – Impersonating Token 

Next, it starts by enumerating network resources via WNetOpenEnumW(). Upon locating a network resource, it proceeds to iterate through it with WNetEnumResourceW() for encryption. It also initializes Winsock, creates sockets, threads, and IO completion ports, retrieves host information, and performs various network-related tasks for lateral movement. The figure below shows the code for scanning IPs on a network. 

Figure 17 – Lateral Movement 

This ransomware encrypts the files using ChaCha20, a symmetric encryption algorithm that utilizes a 256-bit key for both encrypting and decrypting data. The figure below illustrates the constants and quarter rounds utilized in ChaCha20.  

Figure 18 – ChaCha20 Encryption Algorithm 

After encryption, the ransomware appends the extension “.trinitylock” to the filenames of the encrypted files. The figure below provides a visual representation of the encrypted files. 

Figure 19 – Encrypted Files 

Following this, it drops a ransom note named “README.txt” in the “C:” directory. This note contains instructions provided by the threat actor (TA) and their onion site for communication. The figure below displays the ransom note.  

Figure 20 – Trinity Ransom Note

Additionally, it drops a ransom note in the “C:Windows” directory as a “.hta” file named “48065934119990121.hta“, where the mutex name serves as the file name. Subsequently, it initiates the execution using a Windows shell to automatically display the ransom note to the victim. The figure below illustrates the .hta ransom note.  

Figure 21 – .hta Ransom Note 

Furthermore, an image file named “48065934119990121.jpg” is dropped in the “C:Windows” directory for using it as a desktop background. The file name corresponds to the mutex name. Moreover, a registry key is established via RegSetValueExW() at HKCU\Control Panel\Desktop\Wallpaper to facilitate the alteration of the desktop wallpaper. The figure below illustrates the registry entry. 

Figure 22 – Registry Entry to set desktop Wallpaper 

Conclusion

Multiple ransomware variants have adopted a double extortion strategy, escalating ransomware tactics. By threatening to release sensitive data in addition to encrypting files, threat actors exponentially increase the pressure on victims to pay ransom demands.  

Furthermore, the identification of Trinity’s similarities with other ransomware variants, such as 2023Lock and Venus, suggests a potential link or collaboration among threat actor groups. This collaboration could lead to the exchange of techniques, tools, and infrastructure, amplifying the scale and sophistication of future ransomware campaigns.  

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: 

Safety Measures Needed to Prevent Ransomware Attacks 

• Do not open untrusted links and email attachments without first verifying their authenticity. 
• Conduct regular backup practices and keep those backups offline or in a separate network. 
• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
• Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. 

Users Should Take the Following Steps After a Ransomware Attack 

• Disconnect infected devices on the compromised network. 
• Disconnect external storage devices if connected. 
• Inspect system logs to check for suspicious events. 

Impact of Ransomware 

• Loss of valuable data. 
• Loss of the organization’s reputation and integrity. 
• Loss of the organization’s sensitive business information. 
• Disruption in organization operation. 
• Financial loss. 

 MITRE ATT&CK® Techniques 

Tactic	Technique	Procedure
Execution	T1204.002 (User Execution)	Malicious file.
Defense Evasion	T1134 (Access Token Manipulation)	Impersonates Tokens
Defense Evasion	T1140 (Deobfuscate/Decode Files or Information)	The binary contains encrypted strings.
Discovery	T1083 (File and Directory Discovery)	Ransomware enumerates folders for file encryption.
Lateral Movement	T1570 (Lateral Tool Transfer)	Enumerates network shares and scans the network.
Impact	T1486 (Data Encrypted for Impact)	Ransomware encrypts the data for extortion.
Impact	T1491.001 (Defacement: Internal Defacement)	Changes desktop wallpaper.
Impact	T1490 (Inhibit System Recovery)	Removes Shadow copies.

Indicators of Compromise (IOCs) 

Indicators	Indicator Type	Description
949c438e4ed541877dce02b38bf593ad   4c58d2d624d9bdf6b14a6f8563788785074947a7   36696ba25bdc8df0612b638430a70e5ff6c5f9e75517ad401727be03b26d8ec4	MD5  SHA1  SHA256	Trinity Ransomware

YARA Rule

rule Trinity{ 

meta: 

author = "Cyble Research and Intelligence Labs" 

description = "Detects Trinity Ransomware" 

date = "2024-05-10" 

os = "Windows" 

strings: 

$a1  = "pbsecGOOD" ascii fullword 

$a2  = "secpbGOOD" ascii fullword 

$b1  = "Wallaper" fullword ascii 

$b2 = "[email protected]" fullword nocase ascii wide 

condition: 

            	all of them 

} 

References

• https://www.hhs.gov/sites/default/files/venus-ransomware-analyst-note.pdf 
• https://www.broadcom.com/support/security-center/protection-bulletin/2023lock-ransomware  

The post In the Shadow of Venus: Trinity Ransomware’s Covert Ties  appeared first on Cyble.