Trigona attacks ATMCo
Date:
March 15, 2024
Overview
Title
Trigona attacks ATMCo
Victim
ATMCo
Attacker
Trigona
Location
Size of Attack
Unknown/TBD
First Reported
March 15, 2024
Last Updated
October 31, 2022
The Trigona ransomware group has attacked ATMCo, and released a sample of purloined data, including financial data, invoices, customer data, tax documents, and more. A ransom of $150,000 has been demanded, with a deadline of 21 March. ATMCo is an ATM-as-a-Service businesses, including the self-service banking, payments, networking, telecommunications, and technology. It is a cash-generative business positioned to focus on delivering ATM-as-a-Service to a large, installed customer base across banks and retailers. The Trigona ransomware group, first tracked by Trend Micro as Water Ungaw, reared its head in October of 2022, although binaries of the ransomware were first seen as early as June of the same year. It ran a lucrative scheme, launching attacks around the world, and advertising revenues up to 20% to 50% for each successful attack. The group was also reported as communicating with network access brokers who provide compromised credentials via the Russian Anonymous Marketplace (RAMP) forum’s internal chats and using the sourced information to obtain initial access to targets. Bad actors behind the group are understood to be affiliated with CryLock as they use similar tactics, techniques, and procedures (TTPs), ransom note file names, as well as email addresses. In April 2023, Trigona began targeting compromised Microsoft SQL (MSSQL) Servers through brute-force attacks. A month later, researchers found a Linux version of Trigona that shared similarities with its Windows counterpart. The Trigona ransomware is also linked to BlackCat (also known as AlphaVM, AlphaV, or ALPHV); although at present, there are no known similarities between the two groups. It is possible that BlackCat only used or collaborated with the threat actors deploying Trigona. A report by Arete confirmed that Trigona had been seen exploiting CVE-2021=40539 for initial access. Once it takes hold of a target’s system and data, malefactors behind Trigona provide an authorization key for victims to register to the negotiation portal. Trigona published critical data stolen from victims, including documents and contracts on its leak site. The website had bidding options to acquire access to the leaked data and contained a countdown timer, which could have been used to place additional pressure on victims to pony up.
This attack's description was not found, while we work on the detailed account of this attack we invite you to browse through other recent Rasomware Attacks in the table below.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.