Trigona attacks Flamingo Holland

Incident Date:

September 5, 2023

World map



Trigona attacks Flamingo Holland


Flamingo Holland




Vista, USA

California, USA

First Reported

September 5, 2023

The Trigona Ransomware Attack on Flamingo Holland

The Trigona ransomware gang has attacked Flamingo Holland. Flamingo Holland is a prominent company specializing in the production and distribution of flower bulbs and perennial plants, particularly Dutch flower bulbs. Founded in 1991, Flamingo Holland is based in Vista, California, USA, and has earned a reputation for its high-quality bulbs and plants, as well as its commitment to horticultural excellence. Trigona posted Flamingo Holland to its data leak site on September 5th but provided no further details.

Understanding Trigona's Methodology

Trigona is not a traditional RaaS. The ransomware gang emerged around June of 2022 and operators have been observed scanning for internet-exposed Microsoft SQL servers to exploit via brute-force or dictionary attacks, and they also maintain a Linux version. The attackers will drop malware researchers dubbed CLR Shell to collect system information, to make configuration changes, and to escalate privileges by way of a vulnerability in the Windows Secondary Logon Service. There are multiple Trigona versions detected in the wild targeting both Windows and Linux systems.

Technical Details and Victim Response

Trigona TTPs have some overlap with BlackCat/ALPHV but are considered much less technically savvy. They employ a 4,112-bit RSA and 256-bit AES encryption in OFB mode which is buggy and complicated to decrypt, but they do have a reputation for reliably providing the decryption sequence to victims who pay the ransom demand. Trigona abuses legitimate programs including AteraAgent, Splash Top, ScreenConnect, AnyDesk, LogMeIn, and TeamViewer.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.