HOMETHREATS2023lock
APT / THREAT GROUP💰 FINANCIAL

2023lock

1
aliases

Intelligence Profile

2023Lock is a ransomware strain first observed in January 2024, believed to be an evolution of the Venus and Zeoticus families and a direct precursor to the later TrinityLock variant. It employs a hybrid encryption method combining XChaCha20 and curve25519xsalsa20poly1305, appending the “.2023lock” extension to encrypted files. Upon infection, it delivers ransom notes in HTML, TXT, and HTA formats containing decryption instructions. Unlike many modern ransomware groups, there is no evidence that 2023Lock engages in double extortion or data exfiltration, operating purely through file encryption to pressure victims into payment. Its codebase and operational patterns strongly align with TrinityLock, which emerged a few months later with more sophisticated extortion tactics.

Threat Analysis

2023lock is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like 2023lock prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Aliases1

Also Known As

2023lock

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
2023lock — APT / Threat Group | Threat Intelligence | CTIWATCH.COM