2023Lock
Description
2023Lock is a ransomware strain first observed in January 2024, believed to be an evolution of the Venus and Zeoticus families and a direct precursor to the later TrinityLock variant. It employs a hybrid encryption method combining XChaCha20 and curve25519xsalsa20poly1305, appending the “.2023lock” extension to encrypted files. Upon infection, it delivers ransom notes in HTML, TXT, and HTA formats containing decryption instructions. Unlike many modern ransomware groups, there is no evidence that 2023Lock engages in double extortion or data exfiltration, operating purely through file encryption to pressure victims into payment. Its codebase and operational patterns strongly align with TrinityLock, which emerged a few months later with more sophisticated extortion tactics.
| External Analysis |
| https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/2023lock |
| https://cyble.com/blog/in-the-shadow-of-venus-trinity-ransomwares-covert-ties/ |
| https://www.broadcom.com/support/security-center/protection-bulletin/2023lock-ransomware |
| https://www.hhs.gov/sites/default/files/trinity-ransomware-threat-actor-profile.pdf |