Ransomware gang Trinity joins pile of scumbags targeting healthcare

At least one US healthcare provider has been infected by Trinity, an emerging cybercrime gang with eponymous ransomware that uses double extortion and other "sophisticated" tactics that make it a "significant threat," according to the feds.

The US Department of Health and Human Services sounded the alarm in an October 4 security advisory about the new crims on the block, first spotted in May. It also noted [PDF] that the Health Sector Cybersecurity Coordination Center (HC3) is "aware of at least one healthcare entity in the United States that has fallen victim to Trinity ransomware recently."

This appears to be Rocky Mountain Gastroenterology, which has been listed on the Trinity's leak site with the group claiming to have stolen 330 GB of data. The HHS warning indicates one of the gang's two healthcare victims is a US-based gastroenterology services provider.

The Colorado-based clinics did not immediately respond to The Register's inquiries. However, as of Tuesday morning a banner across the company's website noted: "We are currently experiencing technical issues, and our staff has limited availability to answer phone calls."

In August, Trinity claimed to have stolen 3.63TB of data belonging to Cosmetic Dental Group in the Channel Islands and threatened to publish it in September. 

The group's leak site also lists a law firm in Florida and Georgia, and has claimed responsibility for attacking orgs in the UK, Canada, China, the Philippines, Argentina and Brazil. 

Trinity, like most ransomware gangs these days, uses double extortion in its attacks – meaning it steals sensitive data before locking up the victim's files, and then threatens to leak the private data if the org doesn't pay up. This turns up the heat on the infected groups and increases the likelihood that they will pay a ransom to the extortionists.

• Sensitive data on 61K+ patients accessed in Alabama hospital cyberattack
• Ransomware crew infects 100+ orgs monthly with new MedusaLocker variant
• Ransomware forces hospital to turn away ambulances
• Valencia Ransomware explodes on the scene, claims California city, fashion giant, more as victims

It's believed that the criminals gain initial access by exploiting flaws in unpatched software, sending phishing emails with malicious attachments or links, or compromising remote desktop protocol (RDP) endpoints with weak or stolen credentials. In other words, all of the tricks that criminals use to break into victims' networks.

The malware itself – also called Trinity – shares similarities with two other types of ransomware: 2023Lock and Venus.

Both Trinity and Venus use the ChaCha20 encryption algorithm and similar registry values and mutex naming conventions. Trinity also shares code with 2023Lock ransomware, and uses an identical ransom note as that gang. Unfortunately, no known Trinity decryption tools exist.

Since this is just one of the many new crews exploding onto the ransomware scene and specifically targeting hospitals and other healthcare organizations, it's a good idea to heed HHS's advice in order to prevent ransomware infections in the first place and also recover more quickly in the event of an attack.

Implement a recovery plan that includes retention of multiple copies of sensitive data and servers in physically separate and secure locations. Also, use network segmentation and offline backups to limit the criminals' movement and interruptions to business.

To protect against phishing attacks, consider adding an email banner to emails received from outside your organization and disabling hyperlinks in received emails.

Turn on multifactor authentication (MFA) and consider using this to better secure Remote Desktop Protocol (RDP) access while also placing RDP behind a Virtual Private Network (VPN). ®