Science and Tech

What is Trinity, the ransomware with which a group of hackers has supposedly stolen and encrypted data from the Tax Agency

An alliance of 30 countries, including Spain, prepares to defeat ransomware: they will not pay ransoms

This weekend the HackManac cybersecurity alert system warned of a cyber attack that had supposedly affected the Spanish Tax Agency (AEAT). According to this alert, 560 GB of data was stolen and encrypted with a ransomware called Trinity. Those responsible now demand the payment of 38 million dollars before December 31, 2024 at midnight to release that data. Now, what is Trinity?

Trinity. This ransomware was detected for the first time in May 2024. Like other cyberattacks of this type, this malware is capable of encrypting data so that its owners cannot access or use it. In this case the affected files end up being renamed with a “.trinitylock” extension

How it works. This malicious software infiltrates systems through various attack vectors such as phishing, malicious websites or the exploitation of software vulnerabilities. From there, the ransomware collects data from the system it infiltrates (processor characteristics, connected units) and tries to gain privileges by trying to “sneak in” as a legitimate process. Once access is achieved, it attempts to spread across the network to attack multiple systems.

Not only does it encrypt, it also steals. As indicated in Hive Prowhen Trinity has managed to infiltrate the system, the ransomware does two things: first, it steals the data that it will encrypt so that it remains in the possession of the cyber attacker. And second, it encrypts it with an encryption algorithm that makes that data unusable on the victim’s system unless a decryption key is used.

Similar to other well-known. Trinity appears to have similarities to the Venus and 2023Lock ransomware. For example, Trinity and Venus use an encryption algorithm called ChaCha20and shares, for example, the type of messages that attackers leave after using 2023Lock, which seems to indicate that Trinity is a “fork” of these malicious applications. Upon completion of its attack, Trinity displays a ransom note in text and also in .hta (HTML application) format, and also changes the desktop background by changing the Windows registry.

Screenshot 2024 12 02 At 8 32 26
Screenshot 2024 12 02 At 8 32 26

Image: WatchGuard

At the moment there is no solution. For now, there are no known tools with which to decrypt this type of ransomware, which leaves victims with few options. As indicated in WatchGuardcybercriminals who use this software demand ransom payment in the form of cryptocurrencies. To communicate with them, they leave an email address or even offer the contact option through a Deep Web URL (.onion) that can be visited with the Tor browser.

In Xataka | LockBit was the most dangerous ransomware group in the world. Your supplier has been arrested in Madrid

Source link