Technical Analysis of Trigona Ransomware

MITRE Techniques

• [T1059] Command-Line Interface – Trigona can be executed with or without command-line arguments. The latest versions of Trigona support the following parameters shown in Table 1. “Trigona can be executed with or without command-line arguments. The latest versions of Trigona support the following parameters shown in Table 1.”
• [T1060] Registry Run Keys/Startup Folder – The autorun registry value will be created in HKEY_CURRENT_USERSSoftwareMicrosoftWindowsCurrentVersionRun with a registry name that consists of an uppercase hex string derived from the MD5 hash of the CID reversed, with the registry value pointing to the Trigona ransomware executable path. “The autorun registry value will be created in … with a registry name that consists of an uppercase hex string derived from the MD5 hash of the CID reversed, with the registry value pointing to the Trigona ransomware executable path.”
• [T1218.005] Signed Binary Proxy Execution: HTA – Trigona creates an HTML Application (how_to_decrypt.hta) that contains the ransom note. “Trigona creates an HTML Application (HTA) file named how_to_decrypt.hta that contains the ransom note.”
• [T1486] Data Encrypted for Impact – Trigona utilizes 4,112-bit RSA and 256-bit AES encryption in OFB mode for file encryption. “Trigona utilizes 4,112-bit RSA and 256-bit AES encryption in OFB mode for file encryption.”
• [T1485] Data Destruction – The data wiper functionality overwrites files with NULL bytes and can erase full content when /erase is used. “overwrite files with NULL bytes, rename with a ._erased extension, and delete; by default the first 0x80000 bytes (512KB) will be overwritten” and “The wiper functionality is triggered by passing the /erase command-line parameter.”
• [T1041] Exfiltration – Trigona exfiltrates data prior to encryption and hosts a data leak site publicly. “exfiltrate data prior to performing file encryption and hosts a data leak site that is hosted on a publicly available website”