Ransomware.live 👀

Ransomware Group:

Trinity

Sponsored by Hudson Rock – Use Hudson Rock's free cybercrime intelligence tools to learn how compromised credentials are impacting your business

Sites

Title	Available	Last Visit	FQDN	Screenshot
Trinity	🟢	2024-09-19 14:57:36.649479	txtggyng5euqkyzl2knbejwpm4rlq575jn2egqldu27osbqytrj6ruyd.onion	📸

Yara Rules

Click here to open yara rules

Activity over time

7 Victims

INTERNAL.ROCKYMOUNTAINGASTRO.COM

Discovery Date: 2024-09-15 12:09

Sector: Healthcare

330Gb - Revenue: $60.3 Million - Publication date: 2024-10-16

welland

Discovery Date: 2024-09-01 06:10

Sector: Construction

full data base - Revenue: <$5 Million - Publication date: 2024-10-01

Cosmetic Dental Group

Discovery Date: 2024-08-18 14:25

Sector: Healthcare

3.63 Tb - Revenue: <$5 Million - Publication date: 2024-09-18

Banner and Associates

Discovery Date: 2024-08-13 13:03

Sector: Not Found

full data base(1,5 TB) - Revenue: $7.6 Million - Publication date: 2024-09-20

sgvfr.com

Discovery Date: 2024-06-12 13:46

Sector: Financial Services

sgvfr.com - Revenue: 5kk - Publication date: 2024-06-30

CBSTRAINING

Discovery Date: 2024-06-12 09:57

Sector: Business Services

CBSTRAINING - Publication date: 2024-06-30

filmetrics corporation

Discovery Date: 2024-06-11 08:07

Estimated Attack Date: 2024-06-06

Sector: Technology

www.filmetrics.com.ph

Infostealer information available for

Employees(s)	Customer(s)	Third Party Employee(s)

This information is provided by HudsonRock

/*
Trinity ransomware
*/


rule Trinity
{
    meta:
        author = "rivitna"
        family = "ransomware.trinity.windows"
        description = "Trinity ransomware Windows payload"
        severity = 10
        score = 100

    strings:
        $s0 = "\x00pbsecGOOD\x00" ascii
        $s1 = "\x00secpbGOOD\x00" ascii
        $s2 = "12210111111610599117115" ascii
        $s3 = "\x00OnlyCr :\x00" ascii
        $s4 = "\x00FullCr :\x00" ascii
        $s5 = "\x00enableOnlyTest \x00" ascii
        $s6 = "\x00EnableAutoStart \x00" ascii
        $s7 = "\x00enableSelfDelete \x00" ascii
        $s8 = "\x00enableStartOnRun \x00" ascii
        $s9 = "\x00enableWallaper \x00" ascii
        $s10 = "\x00enableNetwork \x00" ascii
        $s11 = "\x00enableCustomCMD1 \x00" ascii
        $s12 = "\x00enableFullEncrExt \x00" ascii
        $s13 = "\x00enableCryptOnlyExtension \x00" ascii
        $s14 = "\x00enableCryptOnlyExtension \x00" ascii
        $s15 = "\x00%s%x%x%x%x.goodgame\x00" wide

        $h0 = { B? 01 00 00 00 33 ?? 0F B6 [10] C1 E? 08 83 F? 18 72 EC }
        $h1 = { 00 6A 00 68 63 04 00 00 FF 35 [4] FF }

    condition:
        ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and
        (
            ((1 of ($h*)) and (4 of ($s*))) or
            (10 of them)
        )
}