Cybersecurity Snapshots #40 - Trigona Ransomware

Cybersecurity Snapshots #40 -

Trigona Ransomware

According to cybersecurity firm Palo Alto Networks, a new ransomware family has proven highly active over the past several months. The new ransomware has been dubbed Trigona. Trigona has had minimal coverage by security news articles to date. The company noted that this lack of security community awareness allows Trigona to discreetly attack victims while other higher-profile ransomware operations dominate the news headlines.

The malware emerged at the end of October 2022, targeting agriculture, construction, finance, high-tech, manufacturing, and marketing organizations in Australia, Italy, France, Germany, New Zealand, and the United States. Palo Alto Networks noted that one of the main features that set Trigona apart from other file-encrypting ransomware is that it uses a .hta ransomware note that contains JavaScript code to display payment instructions to the victim. The JavaScript code contains unique victim identifiers, a link to a Tor portal to negotiate with the attackers, and an email address. Based on the victim IDs embedded in identified ransom notes, Palo Alto Networks believes that at least 15 organizations were potentially compromised in December 2022 alone. Several other ransom notes were found in January and February 2023.

According to Palo Alto Networks, upon execution on the victim's system, the Trigona ransomware uses a Delphi AES library to encrypt files and appends the "_locked" extension to them. The malware achieves persistence for itself, and the dropped ransom note by modifying registry keys. Trigona's operators have been observed compromising a target's network, performing reconnaissance, employing Remote Monitoring and Management (RMM) software to download malware, creating new user accounts, and executing the ransomware. Some of the tools observed in Trigona attacks by researchers include NetScan (for reconnaissance), Start.bat batch script (copies files to a newly created folder), Turnoff.bat (a cleanup script), Newuser.bat (creates a new user account), Mimikatz, DC4.exe (executes a batch file to disable UAC, opens specific firewall ports, and enables remote desktop connections), and Advanced Port Scanner.

Palo Alto Networks noted that the ransomware operators also use a leak site to shame victims and pressure them into paying up by threatening to release stolen data. Posts on the leak site include descriptions of the company and stolen data, a timer, and a button to bid for the data. Palo Alto Networks noted that some posts on the leak site have countdown timers of over 300 days, and some have near-duplicate posts as on the Alphv (BlackCat) leak site, which suggests that Trigona might be leveraging BlackCat's reputation to extort victims. The leak site is no longer available on the surface web, indicating that it might have been a development environment before being moved to the dark web. Palo Alto Networks also identified similarities with the Tactics, Techniques, and Procedures (TTPs) associated with CryLock ransomware, which suggests that CryLock's operators might have moved on to the new ransomware family. Trigona ransomware is expected to claim many more victims this year, so organizations must be on the lookout for it.