Trigona Ransomware Gang Targets Portesa

The Trigona ransomware gang has attacked Portesa. Portesa is a pork products manufacturer headquartered in Lisbon, Portugal. Trigona posted Portesa to its data leak site on September 14th but provided no further details.

Understanding Trigona's Approach

Trigona is not a traditional RaaS. The ransomware gang emerged around June of 2022 and operators have been observed scanning for internet-exposed Microsoft SQL servers to exploit via brute-force or dictionary attacks, and they also maintain a Linux version. The attackers will drop malware researchers dubbed CLR Shell to collect system information, to make configuration changes, and to escalate privileges by way of a vulnerability in the Windows Secondary Logon Service.

Increasing Attack Volume in 2023

Trigona attack volume in 2022 was minimal, but is increasing in 2023, with more than twice the detected attacks in Q1-2023 than 2H-2022. As Trigona is emerging, it is unclear how much they typically demand for a ransom. There are multiple Trigona versions detected in the wild targeting both Windows and Linux systems.

Technical Details and Victimology

Trigona TTPs have some overlap with BlackCat/ALPHV but are considered to be much less technically savvy. They employ a 4,112-bit RSA and 256-bit AES encryption in OFB mode which is buggy and complicated to decrypt, but they do have a reputation for reliably providing the decryption sequence to victims who pay the ransom demand. Trigona abuses legitimate programs including AteraAgent, Splash Top, ScreenConnect, AnyDesk, LogMeIn, and TeamViewer. Trigona may be opportunistic, but most attacks seem to focus on companies in the technology sector, healthcare, banking, manufacturing, and retail sectors.

Trigona is written in Delphi and includes a data wiper feature and has been observed to exfiltrate victim data for double extortion. Trigona hosts leaks site that public website versus being hosted on TOR.