An Overview of the Different Versions of the Trigona Ransomware

Trigona is a rapidly evolving ransomware family that began activity in 2022 and has multiple Windows and Linux variants that encrypt files using AES and append the ._locked extension. Operators gain access via ManageEngine CVE-2021-40539, MSSQL brute-force and purchased compromised accounts, then use tools like Splashtop, CLR shell, and Mimikatz to move laterally, escalate privileges, and exfiltrate data to Tor leak sites. #Trigona #ALPHV

Keypoints

Trigona first appeared in 2022 and has continuously updated binaries including 32-bit Windows, 64-bit Windows, and a Linux build.
Initial access vectors include exploitation of ManageEngine CVE-2021-40539, MSSQL brute-force attacks, and use of previously compromised accounts from brokers.
Lateral movement and remote control leverage legitimate tools such as Splashtop and network scanners, while CLR shell is used against MS-SQL to drop executables (e.g., nt.exe).
Defense-evasion includes dropping turnoff.bat to terminate AV-related services and randomizing encrypted filenames before appending ._locked.
All versions use AES (TDCP_rijndael) for file encryption; command-line arguments vary by platform (notably /sleep, /debug, /allow_system on 64-bit Windows).
Operators use Mimikatz for credential harvesting and maintain leak/negotiation sites (including Tor) to publish stolen data and negotiate ransoms.
Threat activity shows targeted detections concentrated in the US and India, with technology and healthcare industries frequently affected.

MITRE Techniques

[T1190] Exploit Public-Facing Application – ‘Trigona was found to be exploiting the ManageEngine vulnerability CVE-2021-40539 for initial access.’
[T1110] Brute Force – ‘By April 2023, Trigona began targeting compromised MSSQL servers by stealing credentials via brute force methods.’
[T1078] Valid Accounts – ‘the threat actors used previously compromised accounts by obtaining access from network access brokers.’
[T1021] Remote Services – ‘uses Splashtop (a legitimate remote access tool), which is used to drop further additional tools on a compromised machine.’
[T1562] Impair Defenses – ‘Trigona drops a file called turnoff.bat (detected as Trojan.BAT.TASKILL.AE) to terminate AV-related services and processes.’
[T1003] Credential Dumping – ‘Trigona’s operators employ the credential dumper Mimikatz to gather the passwords and credentials found on the machines of the victims.’
[T1068] Exploitation for Privilege Escalation – ‘CLR shell … is capable of multiple commands, including one that drops additional executables for privilege escalation (nt.exe).’
[T1486] Data Encrypted for Impact – ‘Trigona encrypts files in infected machines using AES encryption… appends the ._locked extension upon encryption.’
[T1041] Exfiltration Over Web Service – ‘we were able to find their file storage site (aeey7hxzgl6zowiwhteo5xjbf6sb36tkbn5hptykgmbsjrbiygv4c4id[.]onion). This site hosts critical data stolen from victims.’

Indicators of Compromise

[SHA256] Trigona samples – f1e2a7f5fd6ee0c21928b1cae6e66724c4537052f8676feeaa18e84cf3c0c663, d0268d29e6d26d726adb848eff991754486880ebfd7afffb3bb2a9e91a1dbb7c, and 7 more hashes.
[File name] artifacts used by operators – turnoff.bat (terminates AV/processes), how_to_decrypt.txt (ransom note dropped by Linux binary).
[Domain / Onion] data leak storage – aeey7hxzgl6zowiwhteo5xjbf6sb36tkbn5hptykgmbsjrbiygv4c4id[.]onion (Tor file storage); leak sites observed on IPs using ports 8000 and 3000.
[CVE] exploited vulnerability – CVE-2021-40539 (ManageEngine) used for initial access.
[File extension] encrypted file marker – files appended with the ._locked extension and sometimes prepended with available_for_trial.

Trigona’s technical attack flow begins with multiple initial-access methods: exploitation of the ManageEngine CVE-2021-40539 vulnerability, credential brute-force against MSSQL servers, and the use of purchased or previously compromised accounts from brokers. Once inside, operators deploy legitimate remote tools (Splashtop) and network discovery utilities (Network Scanner, Advanced Port Scanner) to enumerate the environment and move laterally. Against MS-SQL targets they leverage a CLR shell to execute commands and drop binaries such as nt.exe for privilege escalation.

For defense evasion and persistence, Trigona drops a batch script (turnoff.bat) to stop AV-related services and can create autorun registry entries; it accepts various command-line arguments across builds (32-bit Windows, 64-bit Windows, and Linux) to control behavior such as randomized encryption order (/r), full-file encryption (/full), targeted paths (/p, /path), shutdown after encryption (/shdwn or /shutdown), and 64-bit-specific flags like /sleep, /debug, /log_f, and /allow_system. Credential harvesting is performed with Mimikatz, and the ransomware contains an encrypted configuration resource that it decrypts at runtime to determine which strings to use and which files to target.

All Trigona variants use AES (TDCP_rijndael) to encrypt data, rename or prepend encrypted filename strings, and append ._locked to encrypted files. Operators pressure victims with a double-extortion approach: exfiltrated data is posted to a public leak site and a Tor-hosted storage/negotiation portal, enabling negotiation or sale of stolen data; infrastructure has been observed on nonstandard ports (8000, 3000) and includes the reported Tor storage address. Defenders should look for the listed hashes, filenames, the CVE-2021-40539 exploitation indicators, and anomalous Splashtop/CLR shell activity when hunting for Trigona incidents.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print