2023Lock

Description

2023Lock is a ransomware strain first observed in January 2024, believed to be an evolution of the Venus and Zeoticus families and a direct precursor to the later TrinityLock variant. It employs a hybrid encryption method combining XChaCha20 and curve25519xsalsa20poly1305, appending the “.2023lock” extension to encrypted files. Upon infection, it delivers ransom notes in HTML, TXT, and HTA formats containing decryption instructions. Unlike many modern ransomware groups, there is no evidence that 2023Lock engages in double extortion or data exfiltration, operating purely through file encryption to pressure victims into payment. Its codebase and operational patterns strongly align with TrinityLock, which emerged a few months later with more sophisticated extortion tactics.

External Analysis
https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/2023lock
https://cyble.com/blog/in-the-shadow-of-venus-trinity-ransomwares-covert-ties/
https://www.broadcom.com/support/security-center/protection-bulletin/2023lock-ransomware
https://www.hhs.gov/sites/default/files/trinity-ransomware-threat-actor-profile.pdf
Urls
Screen
File servers
Screen
Chat servers
Screen
Admin servers
Screen