Ransomware.live 👀

Ransomware Group:

Trinity

Sponsored by Hudson Rock – Use Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are impacting your business

Sites

Favicon	Title	Type	Available	Last Visit	FQDN	Screenshot
	rans		🟢	2025-03-25 12:31:20.833029	txtggyng5euqkyzl2knbejwpm4rlq575jn2egqldu27osbqytrj6ruyd.onion	📸

Yara Rules

Click here to open yara rules

Negotiation chats

Name	# Msg	Initial Ransom	Negotiated Ransom
0003	298	N/A	N/A
0009	6	N/A	N/A
0013	32	N/A	N/A
0005	14	N/A	N/A
0007	36	N/A	N/A
0001	2	N/A	N/A
0012	15	N/A	N/A
0014	6	N/A	N/A
0002	52	N/A	N/A
0004	170	N/A	N/A
0008	13	N/A	N/A
0011	50	$15,000	N/A
0010	8	N/A	N/A
0006	11	N/A	N/A

This information is provided by Valéry Marchive & Julien Mousqueton

Ransom Note(s)

Click here to see Ransom Note(s)

Activity over time

Worldmap

18 Victims

Kairav Chemofarbe Industries

Ransomware Group:

Trinity

Discovery Date: 2025-03-16 21:31

Sector: Manufacturing

[AI generated] Kairav Chemofarbe Industries Ltd is a pharmaceutical company based in Mumbai, India. Founded in 1983, the company specializes in the manufacture of chemical products targeting the pharmaceutical and chemical industries. Some of their products include both intermediates and APIs. The company is known for its research and development abilities which have led to the creation of competitive products in the global market.

Victim: | Group:

consultoria-consultores.es

Ransomware Group:

Trinity

Discovery Date: 2025-03-16 21:29

Sector: Not Found

219GB

Victim: | Group:

ROBONG-WINMINI

Ransomware Group:

Trinity

Discovery Date: 2025-03-16 21:27

Sector: Not Found

[AI generated] N/A

Victim: | Group:

Lake Psychological Services

Ransomware Group:

Trinity

Discovery Date: 2025-03-16 21:26

Sector: Healthcare

190Gb

Victim: | Group:

CANAM Realty Group

Ransomware Group:

Trinity

Discovery Date: 2025-03-16 21:24

Sector: Business Services

[AI generated] CANAM Realty Group is a full-service real estate company based in Arizona, United States. They provide numerous services, such as property management, investment consulting, residential leasing, and home sales. The company has a team of dedicated real estate professionals skilled in different aspects of the industry. They focus on serving their clients' needs whether they are homeowners, renters, or investors, offering precise, professional, and personal service.

Victim: | Group:

CNS

Ransomware Group:

Trinity

Discovery Date: 2025-03-16 21:23

Sector: Not Found

[redacted]

Victim: | Group:

la-z-boy

Ransomware Group:

Trinity

Discovery Date: 2025-03-16 21:21

Sector: Consumer Services

[AI generated] La-Z-Boy is a renowned furniture company based in the USA, most known for their iconic recliners. Founded in 1927, they offer a wide range of home furniture including sofas, chairs, lift chairs, loveseats, and sleepers. Additionally, they provide home accessories such as rugs, lamps, and tables. They focus on creating comfortable, long-lasting furnishings while offering personalized custom order options.

Victim: | Group:

Agencia Tributaria AEAT

Ransomware Group:

Trinity

Discovery Date: 2024-11-30 22:27

Sector: Government

560Gb - Revenue: 38$mln - Publication date: 2024-12-31

Victim: | Group:

Barnes & Cohen

Ransomware Group:

Trinity

Discovery Date: 2024-10-03 19:04

Sector: Not Found

15Gb - Revenue: <$5 Million - Publication date: 2024-11-04

Victim: | Group:

FoccoERP

Ransomware Group:

Trinity

Discovery Date: 2024-10-02 07:10

Sector: Technology

Data base 300 GB - Revenue: $ 20 Million - Publication date: 2024-11-01

Victim: | Group:

Fabrica Industrial Machinery & Equipment

Ransomware Group:

Trinity

Discovery Date: 2024-09-23 10:08

Sector: Manufacturing

Data base 20+tb - Revenue: $ 59.2 Million - Publication date: 2024-10-23

Victim: | Group:

INTERNAL.ROCKYMOUNTAINGASTRO.COM

Ransomware Group:

Trinity

Discovery Date: 2024-09-15 12:09

Sector: Healthcare

330Gb - Revenue: $60.3 Million - Publication date: 2024-10-16

Victim: | Group:

welland

Ransomware Group:

Trinity

Discovery Date: 2024-09-01 06:10

Sector: Business Services

full data base - Revenue: <$5 Million - Publication date: 2024-10-01

Victim: | Group:

Cosmetic Dental Group

Ransomware Group:

Trinity

Discovery Date: 2024-08-18 14:25

Sector: Healthcare

3.63 Tb - Revenue: <$5 Million - Publication date: 2024-09-18

Victim: | Group:

Banner and Associates

Ransomware Group:

Trinity

Discovery Date: 2024-08-13 13:03

Sector: Not Found

full data base(1,5 TB) - Revenue: $7.6 Million - Publication date: 2024-09-20

Victim: | Group:

sgvfr.com

Ransomware Group:

Trinity

Discovery Date: 2024-06-12 13:46

Sector: Financial

sgvfr.com - Revenue: 5kk - Publication date: 2024-06-30

Victim: | Group:

CBSTRAINING

Ransomware Group:

Trinity

Discovery Date: 2024-06-12 09:57

Sector: Business Services

CBSTRAINING - Publication date: 2024-06-30

Victim: | Group:

filmetrics corporation

Ransomware Group:

Trinity

Discovery Date: 2024-06-11 08:07

Estimated Attack Date: 2024-06-06

Sector: Technology

www.filmetrics.com.ph

Victim: | Group:

Infostealer information available for

Employees(s)	Customer(s)	Third Party Employee(s)

This information is provided by HudsonRock

/*
Trinity ransomware
*/


rule Trinity
{
    meta:
        author = "rivitna"
        family = "ransomware.trinity.windows"
        description = "Trinity ransomware Windows payload"
        severity = 10
        score = 100

    strings:
        $s0 = "\x00pbsecGOOD\x00" ascii
        $s1 = "\x00secpbGOOD\x00" ascii
        $s2 = "12210111111610599117115" ascii
        $s3 = "\x00OnlyCr :\x00" ascii
        $s4 = "\x00FullCr :\x00" ascii
        $s5 = "\x00enableOnlyTest \x00" ascii
        $s6 = "\x00EnableAutoStart \x00" ascii
        $s7 = "\x00enableSelfDelete \x00" ascii
        $s8 = "\x00enableStartOnRun \x00" ascii
        $s9 = "\x00enableWallaper \x00" ascii
        $s10 = "\x00enableNetwork \x00" ascii
        $s11 = "\x00enableCustomCMD1 \x00" ascii
        $s12 = "\x00enableFullEncrExt \x00" ascii
        $s13 = "\x00enableCryptOnlyExtension \x00" ascii
        $s14 = "\x00enableCryptOnlyExtension \x00" ascii
        $s15 = "\x00%s%x%x%x%x.goodgame\x00" wide

        $h0 = { B? 01 00 00 00 33 ?? 0F B6 [10] C1 E? 08 83 F? 18 72 EC }
        $h1 = { 00 6A 00 68 63 04 00 00 FF 35 [4] FF }

    condition:
        ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and
        (
            ((1 of ($h*)) and (4 of ($s*))) or
            (10 of them)
        )
}

Sites

Yara Rules

Negotiation chats

Ransom Note(s)

Activity over time

Worldmap

18 Victims

Kairav Chemofarbe Industries

consultoria-consultores.es

ROBONG-WINMINI

Lake Psychological Services

CANAM Realty Group

CNS

la-z-boy

Agencia Tributaria AEAT

Barnes & Cohen

FoccoERP

Fabrica Industrial Machinery & Equipment

INTERNAL.ROCKYMOUNTAINGASTRO.COM

welland

Cosmetic Dental Group

Banner and Associates

sgvfr.com

CBSTRAINING

filmetrics corporation

Infostealer information available for

Icon Legend