Trigona attacks Leidos

Incident Date:

September 5, 2023

World map



Trigona attacks Leidos






Reston, USA

Virgina, USA

First Reported

September 5, 2023

The Trigona Ransomware Gang Attacks Leidos

Leidos Holdings, Inc. is an American defense, aviation, information technology, and biomedical research company. It is a Fortune 500 company and one of the largest government contractors in the United States. Leidos provides a wide range of services and solutions primarily to government agencies, including the Department of Defense, intelligence communities, civil agencies, and various other organizations.

Trigona posted Leidos to its data leak site on September 5th, demanding a $300,000 ransom. Trigona is not a traditional RaaS. The ransomware gang emerged around June of 2022 and operators have been observed scanning for internet-exposed Microsoft SQL servers to exploit via brute-force or dictionary attacks, and they also maintain a Linux version.

Attack Methodology

The attackers will drop malware researchers dubbed CLR Shell to collect system information, to make configuration changes, and to escalate privileges by way of a vulnerability in the Windows Secondary Logon Service. There are multiple Trigona versions detected in the wild targeting both Windows and Linux systems.

Trigona TTPs have some overlap with BlackCat/ALPHV but are considered much less technically savvy. They employ a 4,112-bit RSA and 256-bit AES encryption in OFB mode which is buggy and complicated to decrypt, but they do have a reputation for reliably providing the decryption sequence to victims who pay the ransom demand.

Abused Legitimate Programs

Trigona abuses legitimate programs including AteraAgent, Splash Top, ScreenConnect, AnyDesk, LogMeIn, and TeamViewer.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.