Threat Research

Ransomware Roundup – Trigona | FortiGuard Labs

Securonix

Fortinet’s FortiGuard Labs highlights the Trigona ransomware in its bi-weekly Ransomware Roundup, detailing its double-extortion approach of encrypting endpoints and threatening to leak exfiltrated data. The report covers suspected infection vectors (emails, RDP, vulnerabilities), how the ransom notes guide victims to a Tor-based decryption flow, and Fortinet’s protections and guidance for prevention and response. #Trigona #FortiGuardLabs

Keypoints

  • Trigona ransomware uses a double-extortion model: encrypts data and threatens to release exfiltrated data if not paid.
  • First reported in October 2022; public reports indicate activity ramped up toward end of 2022.
  • Infection vector not identified; suspected methods include distribution via emails, RDP, and exploiting vulnerabilities.
  • Encryption process adds a “._locked” extension to affected files and leaves a how_to_decrypt.hta ransom note with recovery and contact details.
  • Victims may be directed to a Tor-based decryption page or emailed attackers; ransom typically demanded in Monero (XMR).
  • Fortinet protection includes AV signatures (e.g., W32/Filecoder.OLC!tr.ransom) and FortiEDR/IPS coverage; emphasizes training, backups, Zero Trust, and EDR.

MITRE Techniques

  • [T1021.001] Remote Desktop Protocol – Initial access or lateral movement via Remote Desktop Protocol, with suspected participation in distribution via RDP. Quote: “Remote Desktop Protocol (RDP) … are suspected distribution methods.”
  • [T1190] Exploitation for Initial Access – Exploiting vulnerabilities as a suspected distribution method to gain initial access. Quote: “…exploiting vulnerabilities are suspected distribution methods.”
  • [T1486] Data Encrypted for Impact – Ransomware encryption of files on compromised machines, including adding a “._locked” extension. Quote: “encrypts files on compromised machines and adds a “._locked” file extension to those encrypted files.”
  • [T1041] Exfiltration – Double-extortion by threatening to release exfiltrated data on the internet if payment is not made. Quote: “threatening to release exfiltrated data from those machines on the internet if a ransom is not paid.”

Indicators of Compromise

  • [File hash] File-based IOCs – 248e7d2463bbfee6e3141b7e55fa87d73eba50a7daa25bed40a03ee82e93d7db, 596cf4cc2bbe87d5f19cca11561a93785b6f0e8fa51989bf7db7619582f25864, and 13 more hashes
  • [File name] File name IOC – how_to_decrypt.hta
  • [File extension] File extension IOC – ._locked

Read more: https://www.fortinet.com/blog/threat-research/ransomware-roundup-trigona-ransomware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint