The Trigona Ransomware Gang's Attack on WPC

The Trigona ransomware gang has attacked WPC. Winter Park Construction (WPC), also known as Winter Park Construction Company, is a well-established general contracting and construction management firm based in Winter Park, Florida. As of my last knowledge update in September 2021, WPC had built a solid reputation in the construction industry for its expertise in various types of construction projects. Please note that there may have been developments or changes in the company's operations or projects since that time.

Trigona posted WPC to its data leak site on September 5th but provided no further details. The Trigona ransomware is a relatively recent addition to the ransomware landscape, with its activities dating back to approximately late October 2022. However, it's worth noting that traces of this ransomware existed as early as June 2022. Since its emergence, the operators behind Trigona have displayed a high level of activity, consistently updating their ransomware binaries.

Expansion and Technical Developments

In April 2023, Trigona expanded its scope to target compromised MSSQL servers by illicitly obtaining credentials through brute force methods. Additionally, in May 2023, we came across a Linux variant of the Trigona ransomware, which displayed similarities to its Windows counterpart.

Connections to Other Ransomware Groups

The threat actors associated with Trigona are purportedly the same group responsible for the CryLock ransomware. This connection is inferred from resemblances in their tools, tactics, and procedures (TTPs). Furthermore, there have been associations made between Trigona and the ALPHV group, also known as BlackCat. However, it is our belief that any parallels between Trigona and BlackCat/ALPHV ransomware are largely circumstantial. One plausible scenario is that BlackCat/ALPHV collaborated with the threat actors deploying Trigona but may not have been directly involved in its development and operational activities.