Trigona ransomware, which appeared on the threat landscape in late October 2022, is now increasingly targeting victims worldwide. The active development hit peak operation in December 2022 and is still being refined by its operators.

Targets worldwide 

Palo Alto researchers found two new and unique Trigona ransom notes in January and two in February.
  • These notes were presented in an HTML Application with embedded JavaScript containing uniquely generated computer IDs (CIDs) and victim IDs, a link to the negotiation Tor portal, and an email address to contact.
  • During December 2022, it compromised at least 15 potential organizations in various sectors, including manufacturing, finance, construction, agriculture, marketing, and high technology industries.
  • The victim companies were mainly located in the U.S., Italy, France, Germany, Australia, and New Zealand.

Tools and techniques

  • Trigona operators obtain initial access and conduct reconnaissance using NetScan. 
  • They transfer malware via a remote monitoring and management software named Splashtop.
  • The malware contains a script that removes evidence of the attack on a system, another script that creates new user-privileged accounts, and one executable file that runs Mimikatz to extract sensitive information from a Windows OS.
  • Further scripts generate and execute an embedded batch file, install the publicly available tool Advanced Port Scanner for lateral movement and discovery purposes, and deploy ransomware.
  • The ransomware binary uses TDCP_rijndael to encrypt files upon execution. It supports various command line arguments. It appends the ._locked file extension, modifies registry keys to maintain persistence, and drops ransom notes.

Additional discoveries

  • Trigona operators are posting near-duplicate posts from other malware families such as BlackCat (ALPHV) on their leak site to pressure and extort victims.
  • Trigona and CryLock have similar AES encryption and similar phrases in their ransom notes, and both leave HTML-based ransom notes. The overlap in TTPs suggests the same operators are behind both ransomware families.

Wrapping up

Trigona has a global target reach and is experimenting with its TTPs to expand it more. While their ransom notes claim they steal data during attacks, they do not threaten the victim to leak the data. Furthermore, the leak site is posting only copied data so far, cyber experts suggest it could be a testing phase of leak functionality before moving the site to the dark web.
Cyware Publisher

Publisher

Cyware