Ransomware: “Trigona”

‘Trigona’ is a strain of ransomware that was first reported in October 2022.  The threat actor(s) deploying this ransomware performs double extortion attacks, there have been multiple research reports noting that the threat actors achieved initial access via a combination of brute force attacks, purchasing credentials from initial access brokers (“IABs”), and exploitation of vulnerable public-facing applications.  By April 2023, Trigona began targeting compromised MSSQL servers by stealing credentials via brute force methods. In May 2023, a Linux version of Trigona that shared similarities with its Windows counterpart.  And there is a high-profile incident happened in Hong Kong recently.

 

Actions Preventing ‘Trigona’ Attack

Firewall

  1. Enable your firewalls as well as intrusion detection and prevention systems.
  2. Ensure latest signature has been applied on IPS.
  3. Proactively monitor and validate the incoming and outgoing traffic of the network for any unauthorized attempts to the systems.
  4. For Palo Alto firewall:  can also follow the “Product Protection Guide” in Bee-Ware of Trigona, An Emerging Ransomware Strain.

Clients & Servers

  1. Ensure the system has up-to-date operating systems (OS) and software updates.
  2. Ensure up-to-date anti-virus signatures from your anti-virus software such as Kaspersky or Windows Defender updated and perform scanning regularly.
  3. Backup critical and important files regularly and keep them in offline or separate location, and test the backup restoration process to verify reliability.
  4. Implement network segmentation to isolate critical systems and limit lateral movement within the network.
  5. Beware of phishing emails and DO NOT open email/attachments from unknown/untrusted source.
  6. Ensure all accounts with strong and different password and enable 2FA.
  7. Review the user accounts regularly.
  8. Disable unused ports and services.
  9. Disable command-line and scripting activities and permissions if possible.

Note: these are good security defense-in-depth recommendations for prevention of being infected, but these steps alone do not guarantee against infection.

 

As a Victim:

  1. Disconnect the system from the network IMMEDIATELY.
  2. DO NOT respond to any kidnapper by attempting payment and instead to report the incident to your departmental IT Support, ITSC and the Police.

 

 

  • The Trigona threat actors achieved initial access via a combination of brute force attacks, purchasing credentials from initial access brokers (“IABs”), and exploitation of vulnerable public-facing applications.
  • The threat actors would subsequently look to persist through various means.
  • There are various open source and commonly used tools being leveraged by threat actors to perform their malicious activities. These include:
    • Advanced Port Scanner and SoftPerfect Network Scanner for network reconnaissance.
    • ScreenConnect, AnyDesk, SplashTop, and various other legitimate remote desktop applications for lateral movement.
    • Use of Mimikatz to gather passwords and credentials on the machines of the victims for lateral movement.
    • Cobalt Strike beacon deployed through PowerShell that was then used by the threat actor to run the ransomware executable.
    • Deployment of files that terminate anti-virus related services and processes, such as turnoff.bat.
  • Perform data exfiltration and use a data wiper feature to hinder forensic analysis or destroy victims’ data.

 

File-based IoC Type
f1e2a7f5fd6ee0c21928b1cae6e66724c4537052f8676feeaa18e84cf3c0c663 SHA-256
951fad30e91adae94ded90c60b80d29654918f90e76b05491b014b8810269f74 SHA-256
d0268d29e6d26d726adb848eff991754486880ebfd7afffb3bb2a9e91a1dbb7c SHA-256
a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9 SHA-256
2b40a804a6fc99f6643f8320d2668ebd2544f34833701300e34960b048485357 SHA-256
8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376 SHA-256
fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b SHA-256
41c9080f9c90e00a431b2fb04b461584abe68576996379a97469a71be42fc6ff SHA-256
c7a930f1ca5670978aa6d323d16c03a97d897c77f5cff68185c8393830a6083f SHA-256
1cece45e368656d322b68467ad1b8c02 MD5
530967fb3b7d9427552e4ac181a37b9a MD5
1e71a0bb69803a2ca902397e08269302 MD5
46b639d59fea86c21e5c4b05b3e29617 MD5
5db23a2c723cbceabec8d5e545302dc4 MD5
efb688214c3fe5d9273ec03641cf17af5f546b11c97a965a49f8e617278ac700 SHA-256
f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e SHA-256
11b0e9673bbeb978aa9b95bcad43eb21bbe0bbaaf7e5a0e20d48b93d60204406 SHA-256
eda603f4d469d017917f5d6affeb992fdf3b7971e49868ece8c38fb8e6f8b444 SHA-256
c4529a061f205aaee46c219123d15059d2161df2bd7c7b738dd2a2c1ffd8d3ee SHA-256
170fa5d29cdb562d41a054abf2a57ca29fc233805b59692a1a57ebf25449be7c SHA-256
f29b948905449f330d2e5070d767d0dac4837d0b566eee28282dc78749083684 SHA-256
197f4933680a611ad2234a22769bd079885f81956221ec0de172d5a19eab648e SHA-256
1017fcf607a329bb6ad046181c3656b686906a0767fff2a4a3c6c569c2a70a85 SHA-256
761b78ddab55b4e561607ce5ce9d424a7aec4f1994aad988f0612b096cdd1d6d SHA-256
097d8edb1762d7d3ded4360a9f5b4673a898937421f36853d2f5cde77e1bac93 SHA-256
bef87e4d9fcaed0d8b53bce84ff5c5a70a8a30542100ca6d7822cbc8b76fef13 SHA-256
853909af98031c125a351dad804317c323599233e9b14b79ae03f9de572b014e SHA-256
24123421dd5b78b79abca07bf2dac683e574bf9463046a1d6f84d1177c55f5e5 SHA-256
4724EE7274C31C8D418904EE7E600D92680A54FECDAC28606B1D73A28ECB0B1E SHA-256
e22008893c91cf5bfe9f0f41e5c9cdafae178c0558728e9dfabfc11c34769936 SHA-256
8d069455c913b1b2047026ef290a664cef2a2e14cbf1c40dce6248bd31ab0067 SHA-256
544a4621cba59f3cc2aeb3fe34c2ee4522593377232cd9f78addfe537e988ddc SHA-256
a15c7b264121a7c202c74184365ca13b561fb303fb8699299039a59ab376adc6 SHA-256
b7fba3abee8fd3bdac2d05c47ab75fdaa0796722451bed974fb72e442ab4fefd SHA-256
e5cf252041045b037b9a358f5412ae004423ad23eac17f3b03ebef7c8147a3bb SHA-256
5603d4035201a9e6d0e130c561bdb91f44d8f21192c8e2842def4649333757ab SHA-256
69f245dc5e505d2876e2f2eec87fa565c707e7c391845fa8989c14acabc2d3f6 SHA-256
94979b61bba5685d038b4d66dd5e4e0ced1bba4c41ac253104a210dd517581b8 SHA-256
9c8a4159166062333f2f74dd9d3489708c35b824986b73697d5c34869b2f7853 SHA-256
c5d09435d428695ce41526b390c17557973ee9e7e1cf6ca451e5c0ae443470ca SHA-256
248e7d2463bbfee6e3141b7e55fa87d73eba50a7daa25bed40a03ee82e93d7db SHA-256
596cf4cc2bbe87d5f19cca11561a93785b6f0e8fa51989bf7db7619582f25864 SHA-256
704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2 SHA-256
859e62c87826a759dbff2594927ead2b5fd23031b37b53233062f68549222311 SHA-256
8f8d01131ef7a66fd220dc91388e3c21988d975d54b6e69befd06ad7de9f6079 SHA-256
97c79199c2f3f2edf2fdc8c59c8770e1cb8726e7e441da2c4162470a710b35f5 SHA-256
a86ed15ca8d1da51ca14e55d12b4965fb352b80e75d064df9413954f4e1be0a7 SHA-256
accd5bcf57e8f9ef803079396f525955d2cfffbf5fe8279f744ee17a7c7b9aac SHA-256
da32b322268455757a4ef22bdeb009c58eaca9717113f1597675c50e6a36960a SHA-256
e7c9ec3048d3ea5b16dce31ec01fd0f1a965f5ae1cbc1276d35e224831d307fc SHA-256
e97de28072dd10cde0e778604762aa26ebcb4cef505000d95b4fb95872ad741b SHA-256
f29b948905449f330d2e5070d767d0dac4837d0b566eee28282dc78749083684 SHA-256
fa6f869798d289ee7b70d00a649145b01a93f425257c05394663ff48c7877b0d SHA-256
fbba6f4fd457dec3e85be2a628e31378dc8d395ae8a927b2dde40880701879f2 SHA-256
fd25d5aca273485dec73260bdee67e5ff876eaa687b157250dfa792892f6a1b6 SHA-256
Other IoC Type
phandaledr@onionmail[.]org Ransom note contact email
farusbig@tutanota[.]com Ransom note contact email
how_to_decrypt.hta Ransom note name
3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad[.]onion Trigona TOR negotiation portal
45.227.253[.]99 IP address associated with Trigona activity
45.227.253[.]106 IP address currently hosting Trigona leak site
45.227.253[.]98 IP address associated with Trigona activity
45.227.253[.]107 IP address associated with Trigona activity

 

Published on: 11 Sep 2023