First identified last October 2022, the new Trigona ransomware targeted organisations in the manufacturing, agriculture, finance, construction, and marketing sectors. These targeted sectors are commonly located in Australia, New Zealand, France, Germany, and the US.
However, researchers have recently detected increased activities from the ransomware strain, directing attacks toward the previously known targeted regions.
According to security experts, Trigona’s capabilities include its use of [.]hta ransomware note containing JavaScript code, which the ransomware operators utilise to display instructions to the victims. These JavaScript codes also have unique identifiers for all victims, a URL to an attacker-owned Tor portal for negotiations, and an email address.
Ransom notes from the Trigona ransomware were found in the last two months of 2023.
At least 15 organisations across the targeted countries were attacked by the Trigona ransomware operators last December. The most recent activities spotted by the threat group were in January and February 2023, where ransom notes had been collected.
An in-depth analysis of the ransomware revealed that it uses a Delphi AES library in encrypting victims’ files as it appends the [.]_locked extension to all files and folders. In achieving persistence, Trigona performs internal obfuscation processes before dropping ransom notes.
Additionally, the Trigona ransomware compromises a network through numerous comprehensive procedures, such as performing reconnaissance, creating new user accounts, utilising remote monitoring and management (RMM) software to download payloads, and finally launching the ransomware in the machine.
In pressuring victims to pay the ransom demands, Trigona had established its leak site, where its operators have also reportedly shamed victims and leaked stolen files samples. Like other ransomware gangs in the wild, Trigona’s leak site displayed the victim’s company name, description, running timer, and a button for other threat groups to place bids.
Since the Trigona ransomware has yet to be a popular name across the cybercrime landscape, security experts underline that its operators use that as leverage to perform discreet cyberattacks.
