The Range of Trigona Ransomware

Category: Ransomware News | Industries: Financial, Healthcare, Insurance, Manufacturing, Technology, Utilities | Source: Trend Micro

Trigona ransomware, since its emergence in October 2022, appears to be actively evolving, with Windows and Linux versions of the ransomware encryptor being actively used to target organizations worldwide. In a report from Trend Micro, researchers have identified the United States, India, and Turkey as the primary targets of Trigona ransomware variants. Among these countries, the United States leads with 28% of the attacks, followed by India with 25%. In comparison, Turkey experiences a lower percentage of attacks at 9%, placing it in a distant third position. A wide range of industries are targeted by Trigona ransomware; however, the most significantly impacted sectors are technology, healthcare, and financial entities.

From analysis aggregated by Trend Micro, Trigona operators have leveraged vulnerabilities such as the ManageEngine vulnerability CVE-2021-40539 and compromised credentials to obtain initial access. Once a foothold is established on the network, discovery and remote access software for lateral movement are deployed. Tools used for discovery include Netscan and Advanced Port Scanner. Various popular remote access software is utilized, including AnyDesk, LogMeIn, ScreenConnect, Splashtop, and Teamviewer. Additionally, threat actors use Cobalt Strike for lateral movement and command and control (C2) operations. Trigona operators employ batch scripts to disable security solutions and establish persistence on compromised systems.

Prior to ransomware deployment, credentials were obtained using Mimikatz, and files of interest were exfiltrated using tools such as FileZilla. The data collected and ransomware encryption enables operators to exploit victims with double extortion. The data leak site, "Trigona Leaks," is used to shame and extort victims. As noted by Trend Micro, the attackers also identify victims who have submitted payments.