The Trigona Ransomware Attack on Treadwell-Tamplin & Co.

The Trigona ransomware gang has attacked Treadwell-Tamplin & Co. Treadwell-Tamplin & Co is an accounting firm, founded in 1970, headquartered in Madison, Georgia. They primarily provide taxation, audit and attestation, and managerial services. The firm has consists of three partners, five professional staff, and one support staff. Trigona posted Treadwell-Tamplin & Co to its data leak site on September 5th but provided no further details.

Background of Trigona Ransomware

The Trigona ransomware is a relatively recent addition to the ransomware landscape, with its activities dating back to approximately late October 2022. However, it's worth noting that traces of this ransomware existed as early as June 2022. Since its emergence, the operators behind Trigona have displayed a high level of activity, consistently updating their ransomware binaries.

Recent Developments

In April 2023, Trigona expanded its scope to target compromised MSSQL servers by illicitly obtaining credentials through brute force methods. Additionally, in May 2023, we came across a Linux variant of the Trigona ransomware, which displayed similarities to its Windows counterpart.

Connections to Other Ransomware Groups

The threat actors associated with Trigona are purportedly the same group responsible for the CryLock ransomware. This connection is inferred from resemblances in their tools, tactics, and procedures (TTPs). Furthermore, there have been associations made between Trigona and the ALPHV group, also known as BlackCat. However, it is our belief that any parallels between Trigona and BlackCat/ALPHV ransomware are largely circumstantial. One plausible scenario is that BlackCat/ALPHV collaborated with the threat actors deploying Trigona but may not have been directly involved in its development and operational activities.