The group of hackers Trinity has claimed responsibility for a cyber attack directed at the Spanish Tax Agency (AEAT) with which, presumably through a double extortion ‘ransomware’ attack, they claim to have stolen 560GB of data with information from taxpayers and the organization itself, for which they ask for a ransom before December 31 to avoid publishing the leak.

Trinity is a relatively new cybercriminal organization, whose first attacks were identified in May of this year. In them, use a type of malicious software that infiltrates the victim’s computer systems in order to steal valuable information and, after that, extort victims in exchange for a financial ransom.

In this framework, they assure in a statement that one of their victims is the Spanish Tax Agency, as a result of a malicious attack that occurred last Sunday, December 1, as reported by cybersecurity companies such as HackManac or Secure&IT. In it, the hackers say that has resulted in the theft of a total of 560GB of data that contain sensitive information of taxpayers and the organization.

Likewise, Trinity has threatened to make all this data public if they do not receive a ransom of 38 million dollars. (around 36 million euros at the exchange rate) before Tuesday, December 31 of this year.

Double extortion ‘ransomware’

Specifically, the usual modus operandi of this group of malicious actors is the use of un ‘ransomware’ capable of kidnapping sensitive information, as has been recorded in previous operations of the Trinity group, collected by a report from the United States Information Security Office.

This ‘ransomware’, which is also called Trinity, spreads in Phishing attacks using emails, malicious websites or by intercepting software vulnerabilities to enter it into the system.

Once the computer is infected, cybercriminals carry out a double extortion scamin which they first identify and steal confidential information, and then encrypt and block it so that it cannot be used.

To do this, they use the encryption algorithm called ChaCha20, which locks the data making it inaccessible and tags it with the ‘.trinitylock’ extension. Thus, by encrypting the data preventing its use, and subsequently threatening to leak it, they put double pressure on the victims to pay the ransom.

In fact, according to the US report, the group of hackers also runs a website assistance to victims to help them decrypt data, as well as a leak site where it shows stolen data.

Link with other ‘ransomware’ groups

In addition to all this, due to the group’s techniques and tactics, which are described as “sophisticated”, they have been Linked to other ransomware groups with which they share similarities, specifically with 2023Lock and Venus, which also use ‘ransomware’ to steal data.

In the case of the attack that the Trinity group claims to have carried out against the Spanish Tax Agency, for the moment, It is unknown if the same ‘ransomware’ has been used and, therefore, the same method of extortion.

For its part, the Tax Agency has confirmed to Europa Press that they have reviewed all the systems and that, for the moment, no signs of possible encrypted equipment or data output detected. Likewise, the agency has also indicated that it continues to monitor all its systems.