‘Trigona’ is a strain of ransomware that was first reported in October 2022. The threat actor(s) deploying this ransomware performs double extortion attacks, there have been multiple research reports noting that the threat actors achieved initial access via a combination of brute force attacks, purchasing credentials from initial access brokers (“IABs”), and exploitation of vulnerable public-facing applications. By April 2023, Trigona began targeting compromised MSSQL servers by stealing credentials via brute force methods. In May 2023, a Linux version of Trigona that shared similarities with its Windows counterpart. And there is a high-profile incident happened in Hong Kong recently.
Firewall
Clients & Servers
Note: these are good security defense-in-depth recommendations for prevention of being infected, but these steps alone do not guarantee against infection.
File-based IoC | Type |
f1e2a7f5fd6ee0c21928b1cae6e66724c4537052f8676feeaa18e84cf3c0c663 | SHA-256 |
951fad30e91adae94ded90c60b80d29654918f90e76b05491b014b8810269f74 | SHA-256 |
d0268d29e6d26d726adb848eff991754486880ebfd7afffb3bb2a9e91a1dbb7c | SHA-256 |
a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9 | SHA-256 |
2b40a804a6fc99f6643f8320d2668ebd2544f34833701300e34960b048485357 | SHA-256 |
8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376 | SHA-256 |
fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b | SHA-256 |
41c9080f9c90e00a431b2fb04b461584abe68576996379a97469a71be42fc6ff | SHA-256 |
c7a930f1ca5670978aa6d323d16c03a97d897c77f5cff68185c8393830a6083f | SHA-256 |
1cece45e368656d322b68467ad1b8c02 | MD5 |
530967fb3b7d9427552e4ac181a37b9a | MD5 |
1e71a0bb69803a2ca902397e08269302 | MD5 |
46b639d59fea86c21e5c4b05b3e29617 | MD5 |
5db23a2c723cbceabec8d5e545302dc4 | MD5 |
efb688214c3fe5d9273ec03641cf17af5f546b11c97a965a49f8e617278ac700 | SHA-256 |
f64211b0a49589bb53523dfb88eb9937ab88c8fcea98e2aabcbee90f1828e94e | SHA-256 |
11b0e9673bbeb978aa9b95bcad43eb21bbe0bbaaf7e5a0e20d48b93d60204406 | SHA-256 |
eda603f4d469d017917f5d6affeb992fdf3b7971e49868ece8c38fb8e6f8b444 | SHA-256 |
c4529a061f205aaee46c219123d15059d2161df2bd7c7b738dd2a2c1ffd8d3ee | SHA-256 |
170fa5d29cdb562d41a054abf2a57ca29fc233805b59692a1a57ebf25449be7c | SHA-256 |
f29b948905449f330d2e5070d767d0dac4837d0b566eee28282dc78749083684 | SHA-256 |
197f4933680a611ad2234a22769bd079885f81956221ec0de172d5a19eab648e | SHA-256 |
1017fcf607a329bb6ad046181c3656b686906a0767fff2a4a3c6c569c2a70a85 | SHA-256 |
761b78ddab55b4e561607ce5ce9d424a7aec4f1994aad988f0612b096cdd1d6d | SHA-256 |
097d8edb1762d7d3ded4360a9f5b4673a898937421f36853d2f5cde77e1bac93 | SHA-256 |
bef87e4d9fcaed0d8b53bce84ff5c5a70a8a30542100ca6d7822cbc8b76fef13 | SHA-256 |
853909af98031c125a351dad804317c323599233e9b14b79ae03f9de572b014e | SHA-256 |
24123421dd5b78b79abca07bf2dac683e574bf9463046a1d6f84d1177c55f5e5 | SHA-256 |
4724EE7274C31C8D418904EE7E600D92680A54FECDAC28606B1D73A28ECB0B1E | SHA-256 |
e22008893c91cf5bfe9f0f41e5c9cdafae178c0558728e9dfabfc11c34769936 | SHA-256 |
8d069455c913b1b2047026ef290a664cef2a2e14cbf1c40dce6248bd31ab0067 | SHA-256 |
544a4621cba59f3cc2aeb3fe34c2ee4522593377232cd9f78addfe537e988ddc | SHA-256 |
a15c7b264121a7c202c74184365ca13b561fb303fb8699299039a59ab376adc6 | SHA-256 |
b7fba3abee8fd3bdac2d05c47ab75fdaa0796722451bed974fb72e442ab4fefd | SHA-256 |
e5cf252041045b037b9a358f5412ae004423ad23eac17f3b03ebef7c8147a3bb | SHA-256 |
5603d4035201a9e6d0e130c561bdb91f44d8f21192c8e2842def4649333757ab | SHA-256 |
69f245dc5e505d2876e2f2eec87fa565c707e7c391845fa8989c14acabc2d3f6 | SHA-256 |
94979b61bba5685d038b4d66dd5e4e0ced1bba4c41ac253104a210dd517581b8 | SHA-256 |
9c8a4159166062333f2f74dd9d3489708c35b824986b73697d5c34869b2f7853 | SHA-256 |
c5d09435d428695ce41526b390c17557973ee9e7e1cf6ca451e5c0ae443470ca | SHA-256 |
248e7d2463bbfee6e3141b7e55fa87d73eba50a7daa25bed40a03ee82e93d7db | SHA-256 |
596cf4cc2bbe87d5f19cca11561a93785b6f0e8fa51989bf7db7619582f25864 | SHA-256 |
704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2 | SHA-256 |
859e62c87826a759dbff2594927ead2b5fd23031b37b53233062f68549222311 | SHA-256 |
8f8d01131ef7a66fd220dc91388e3c21988d975d54b6e69befd06ad7de9f6079 | SHA-256 |
97c79199c2f3f2edf2fdc8c59c8770e1cb8726e7e441da2c4162470a710b35f5 | SHA-256 |
a86ed15ca8d1da51ca14e55d12b4965fb352b80e75d064df9413954f4e1be0a7 | SHA-256 |
accd5bcf57e8f9ef803079396f525955d2cfffbf5fe8279f744ee17a7c7b9aac | SHA-256 |
da32b322268455757a4ef22bdeb009c58eaca9717113f1597675c50e6a36960a | SHA-256 |
e7c9ec3048d3ea5b16dce31ec01fd0f1a965f5ae1cbc1276d35e224831d307fc | SHA-256 |
e97de28072dd10cde0e778604762aa26ebcb4cef505000d95b4fb95872ad741b | SHA-256 |
f29b948905449f330d2e5070d767d0dac4837d0b566eee28282dc78749083684 | SHA-256 |
fa6f869798d289ee7b70d00a649145b01a93f425257c05394663ff48c7877b0d | SHA-256 |
fbba6f4fd457dec3e85be2a628e31378dc8d395ae8a927b2dde40880701879f2 | SHA-256 |
fd25d5aca273485dec73260bdee67e5ff876eaa687b157250dfa792892f6a1b6 | SHA-256 |
Other IoC | Type |
phandaledr@onionmail[.]org | Ransom note contact email |
farusbig@tutanota[.]com | Ransom note contact email |
how_to_decrypt.hta | Ransom note name |
3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad[.]onion | Trigona TOR negotiation portal |
45.227.253[.]99 | IP address associated with Trigona activity |
45.227.253[.]106 | IP address currently hosting Trigona leak site |
45.227.253[.]98 | IP address associated with Trigona activity |
45.227.253[.]107 | IP address associated with Trigona activity |
Please visit here for more Information Security tips.
Published on: 11 Sep 2023
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |