Low-profile Ransomware Rebrands & Shines as New Trigona Ransomware

What has been discovered?

• More recently, MalwareHunterTeam discovered its new variant in late October, where it officially named itself Trigona, and adopted a Tor negotiation site.
• Trigona has so far targeted several victims, including a real estate company and a village in Germany.

About Trigona

• These argument-based commands determine whether local or network files are encrypted, whether a Windows autorun key is added, and should a test victim ID or campaign ID needs to be used.
• During encryption, Trigona will encrypt all files on a device and avoid files in the Windows and Program Files folders. It will add ._locked extension to all encrypted files.
• It will embed the encrypted decryption key, campaign ID, and victim ID (company name) in the encrypted files. 
• It creates a ransom note named how_to_decrypt.hta in all scanned folders, which displays information about the attack and a link to the Tor negotiation site.

The negotiation

• After the victim logs in to the Tor site, it shows the information on how to buy Monero to pay a ransom. It further includes a support chat, that can be used to negotiate with the threat actors.
• The Tor site offers the ability to decrypt five files, up to 5MB each, for free.
• After paying the ransom, the victim receives a link to a functional decryptor and a keys.dat file, which incorporates the personal decryption key.

Conclusion