Researchers have observed that some old, unnamed ransomware has re-emerged as Trigona ransomware, along with several enhancements in its payment tactics. 

What has been discovered?

The malware has been active since the beginning of this year, and its operators were using email for ransom negotiations at the initial stage. 
  • More recently, MalwareHunterTeam discovered its new variant in late October, where it officially named itself Trigona, and adopted a Tor negotiation site.
  • Trigona has so far targeted several victims, including a real estate company and a village in Germany.

About Trigona

BleepingComputer researchers analyzed the recent Trigona sample and found it supports various command line arguments.
  • These argument-based commands determine whether local or network files are encrypted, whether a Windows autorun key is added, and should a test victim ID or campaign ID needs to be used.
  • During encryption, Trigona will encrypt all files on a device and avoid files in the Windows and Program Files folders. It will add ._locked extension to all encrypted files.
  • It will embed the encrypted decryption key, campaign ID, and victim ID (company name) in the encrypted files. 
  • It creates a ransom note named how_to_decrypt.hta in all scanned folders, which displays information about the attack and a link to the Tor negotiation site.

Moreover, the note shows a link that copies an authorization key into the Windows clipboard needed to log in to the ransomware’s Tor negotiation site.

The negotiation

  • After the victim logs in to the Tor site, it shows the information on how to buy Monero to pay a ransom. It further includes a support chat, that can be used to negotiate with the threat actors.
  • The Tor site offers the ability to decrypt five files, up to 5MB each, for free.
  • After paying the ransom, the victim receives a link to a functional decryptor and a keys.dat file, which incorporates the personal decryption key.


Experts have identified several victims targeted by the new Trigona ransomware, in the past few months. While experts have not seen any active negotiations and data stealing activities by the ransomware on its Tor site, the investments into a devoted Tor platform indicate it will likely continue to expand its operations.
Cyware Publisher