Trigona ransomware spotted in increasing attacks worldwide

by | Nov 30, 2022 | News

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

A previously unnamed ransomware has rebranded under the name ‘Trigona,’ launching a new Tor negotiation site where they accept Monero as ransom payments.

 

Trigona has been active for some time, with samples seen at the beginning of the year. However, those samples utilized email for negotiations and were not branded under a specific name.

As discovered by MalwareHunterTeam, starting in late October 2022, the ransomware operation launched a new Tor negotiation site where they officially named themselves ‘Trigona.’

As Trigona is the name of a family of large stingless bees, the ransomware operation has adopted a logo showing a person in a cyber bee-like costume, shown below. 

 

Trigona ransomware operation's logo
Trigona ransomware operation’s logo
Source: BleepingComputer

 

BleepingComputer is aware of numerous victims of the new ransomware operation, including a real estate company and what appears to be a village in Germany.

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

The Trigona Ransomware

 

BleepingComputer analyzed a recent sample of Trigona and found it supports various command line arguments that determine whether local or network files are encrypted, if a Windows autorun key is added, and whether a test victim ID (VID) or campaign ID (CID) should be used.

The command line arguments are listed below:

/full
/!autorun
/test_cid
/test_vid
/path
/!local
/!lan
/autorun_only

When encrypting files, Trigona will encrypt all files on a device except those in specific folders, such as the Windows and Program Files folders. In addition, the ransomware will rename encrypted files to use the ._locked extension. 

For example, the file 1.doc would be encrypted and renamed to 1.doc._locked, as shown below.

 

Files encrypted by Trigona
Files encrypted by Trigona
Source: BleepingComputer

 

The ransomware will also embed the encrypted decryption key, the campaign ID, and the victim ID (company name) in the encrypted files.

 

Encrypted file with file markers
Encrypted file with file markers
Source: BleepingComputer

 

A ransom note named how_to_decrypt.hta will be created in each scanned folder. This note displays information about the attack, a link to the Tor negotiation site, and a link that copies an authorization key into the Windows clipboard needed to log in to the Tor negotiation site.

 

Trigona ransom note
Trigona ransom note
Source: BleepingComputer

 

After logging into the Tor site, the victim will be shown information on how to buy Monero to pay a ransom and a support chat that they can use to negotiate with the threat actors. The site also offers the ability to decrypt five files, up to 5MB each, for free.

BleepingComputer has not seen any active negotiations, and it is not known how much money the threat actors are demanding from victims.

 

Trigona Tor negotiation site
Trigona Tor negotiation site
Source: BleepingComputer

 

When a ransom is paid, the victims will receive a link to a decryptor and a keys.dat file, which contains the private decryption key.

The decryptor allows you to decrypt individual files or folders on the local device and network shares.

 

Scan and decrypt screens of the Trigona decryptor
Scan and decrypt screens of the Trigona decryptor
Source: BleepingComputer

 

It is unclear how the operation breaches networks or deploy ransomware. Furthermore, while their ransom notes claim they steal data during attacks, BleepingComputer has not seen any proof of this.

However, their attacks have been increasing worldwide, and with the investment into a dedicated Tor platform, they will likely continue to expand their operations.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This