HQ/EMEAFind out how we can help your business
Researchers have recently identified a previously unknown ransomware strain, which is now rebranded as ‘Trigona.’ According to reports, the new ransomware strain has launched its Tor website, where they communicate with victims to accept ransom payments, usually through Monero.
Since the beginning of 2022, the Trigona ransomware has already been seen with few activities in the wild, with some victims including a real estate firm and a German village.
The Trigona ransomware supports different command-line arguments.
From a Trigona ransomware sample obtained by the security researchers, they found that the malicious strain supports different command line arguments, which determine if local or network files have been encrypted, if a Windows autorun key has been included, and if a test victim ID or campaign ID are required for use.
Moreover, when the ransomware strain encrypts the victims’ files, it will set an exception to some specific folders, such as the Program Files and Windows folders. Then, Trigona will rename all encrypted files with the [.]_locked file extension and embed the decryption key, victim ID, and campaign ID.
In most observed cases, the ransomware operators insert a ransom note in all scanned folders with a file name of “how_to_decrypt[.]hta.” The ransom note will explain the attack’s details, enclose a Tor negotiation site URL, and another URL that copies an authorisation key into the clipboard where the victims would need to log in to the Tor site.
Once inside the Tor site, instructions about how to buy Monero (XMR) cryptocurrency will be displayed, which the victims should follow to pay the ransom demand. A support chat is also available where the victims can communicate with the Trigona ransomware operators. The threat operators will send the victims a link to a decryptor key upon a successful ransom payment transaction.
There is currently no information about the ransomware group’s active operations and how much ransom they have accumulated from all their victims.
Additionally, researchers have yet to obtain details on how the ransomware operators hack into the targeted networks and deploy the Trigona ransomware. Stolen data samples also have yet to be acquired and analysed by security researchers.
Nonetheless, the experts warn that the threat group’s investment in a new Tor site implies its continued expansion of attack operations. Users and organisations must always be equipped with sufficient cybersecurity protection against ransomware threats.
