All About: Trigona Ransomware


Trigona ransomware is a sophisticated and evolving threat that leverages vulnerabilities, legitimate tools, and double extortion tactics to target organizations, particularly in the technology and healthcare sectors. Collaboration with other threat actors like ALPHV enhances its capabilities. Prevention strategies are crucial, including robust cybersecurity measures and awareness of the risks associated with paying ransoms. Organizations are advised to utilize incident response services and maintain secure backups to mitigate the impact of Trigona attacks.

Key Findings

  • Emergence and Evolution: Trigona ransomware began its operations around late October 2022 and has been continuously updating its ransomware binaries 1.
  • Exploitation of Vulnerabilities: The ransomware exploits a vulnerability in Zoho ManageEngine ADSelfService Plus (CVE-2021-40539) for initial access 2 3 4.
  • Use of Legitimate Tools: Trigona demonstrates excessive use of legitimate tools in their attacks, which complicates detection and response 5.
  • Connection with ALPHV: There is a connection between Trigona and ALPHV, indicating administrative collaboration and shared tactics between these sophisticated threat actors 6 7.
  • Targeted Industries and Regions: The technology and healthcare industries are primary targets, with the highest number of detections in the US and India, followed by Israel, Turkey, Brazil, and Italy 8.
  • Encryption Method: Trigona employs AES encryption to lock files on infected machines 9.
  • Credential Theft: The operators use the credential dumper Mimikatz to gather passwords and credentials from victims’ machines 10.
  • Linux Version Identified: A Linux version of Trigona was discovered, indicating an attempt to capitalize on the high-value Linux market 11.
  • Double Extortion Scheme: Trigona employs a double extortion scheme, threatening to release exfiltrated data if a ransom is not paid 12 13 14.
  • Ransomware Communication: A Tor site is used for victims to communicate with the threat actors to negotiate for the decryption tool 15.
  • Leak Site Features: The Trigona leak site includes a countdown timer and bidding options for leaked data 16.
  • File Extension and Ransom Note: Encrypted files are appended with a “._locked” extension, and victims receive an HTML-based ransom note 17 18 19.
  • Payment in Cryptocurrency: Victims are asked to pay the ransom in Monero (XMR) for its anonymity features 20 21.
  • Data Wiper Functionality: Trigona added data wiper functionality in an update around March 2023 22 19.
  • Programming Language: The core payload of Trigona is written in Delphi, while ALPHV/BlackCat’s payload is written in Rust 23.
  • Similarities with Other Ransomware: Trigona shares characteristics with CryLock ransomware and utilizes similar tactics and tools 24 25.
  • Persistence and Lateral Movement: Persistence is established via Registry Run keys, and lateral movement typically occurs via SMB 26.
  • Prevention and Response: Recommendations include enabling multifactor authentication, following the 3-2-1 backup rule, updating and patching systems regularly, and considering cloud-based security solutions 27 28.
  • Identification and Recovery: Infected machines can be identified by the file extension, and recovery should ensure the device is ransomware-free before restoring data from backups 29.

Author : Hendry Adrian