Ukrainian Hacktivists Wipe Trigona Ransomware Gang’s Servers


October 19, 2023

World map

Reports indicate hactivists aligned with the Ukrainian Cyber Alliance compromised systems under the control of the Trigona ransomware gang, exfiltrated hundreds of gigabytes of data including source code and potentially decryption keys, and then wiped the servers.

“After a UCA activist using the handle herm1t published screenshots of the ransomware gang's internal support documents, BleepingComputer was told that Trigona ransomware initially panicked and responded by changing the password and taking down its public-facing infrastructure,” BleepingComputer reports.

“However, over the next week, the activists managed to take all the information from the threat actor’s administration and victim panels, their blog and data leak site, and internal tools (Rocket.Chat, Jira, and Confluence servers).”

Takeaway: Another takedown of a disruptive cybercriminal operation is welcome news. The ransomware gang emerged around June of 2022 and operators had been observed scanning for internet-exposed Microsoft SQL servers to exploit via brute-force or dictionary attacks, and they also maintained a Linux version.  

Trigona was written in Delphi and includes a data wiper feature and had been observed to exfiltrate victim data for double extortion. The attackers will drop malware researchers dubbed CLR Shell to collect system information, to make configuration changes, and to escalate privileges by way of a vulnerability in the Windows Secondary Logon Service.  

Trigona attack volume in 2022 was minimal, but increased in the first half of 2023 with more than twice the detected attacks in Q1-2023 than in the entire second half of 2022.  

Trigona may be opportunistic, but most attacks seem to focus on companies in the technology, healthcare, banking, manufacturing, and retail sectors – ransom demand averages are unclear.

There are multiple Trigona versions in the wild targeting both Windows and Linux systems. Trigona TTPs have some overlap with BlackCat/ALPHV but are considered much less technically savvy.  

They employ a 4,112-bit RSA and 256-bit AES encryption in OFB mode which is buggy and complicated to decrypt, but they do have a reputation for reliably providing the decryption sequence to victims who pay the ransom demand.  

Trigona also abused legitimate programs including AteraAgent, Splash Top, ScreenConnect, AnyDesk, LogMeIn and TeamViewer.  

Good riddance... is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.