New Trigona Ransomware Strain Is Up and Running, But Still Evolving

New Trigona Ransomware Strain Is Up and Running, But Still Evolving

New Trigona Ransomware Strain Is Up and Running, But Still Evolving

Security researchers have identified a new strain of ransomware at work and under active development in the wild.

The ransomware, called Trigona, after a species of bee, has been in operation since at least October 2022, when it was first detected. It then peaked in December, affecting companies in a variety of industries, from finance to construction, as well as agriculture and marketing.

The ransomware operators behind Trigona have a global reach, targeting companies in Australia, New Zealand, the United States, Italy, France and Germany.

However, it also appears that its operators are still perfecting Trigona. While the Trigona ransom notes do not threaten to leak data, the ransomware operators have been seen posting to a leak site on the surface web, but using details copied from another leak site. According to Palo Alto Unit 42, this could suggest a testing phase of the filtering functionality before moving the site to the dark web.

That leak site has since been removed.

Trigona operators also use a unique HTML ransom note, encoded in javascript with embedded links and even a link to a help page.

“Unit 42 investigators observed that the JavaScript within the ransom note contains the following information,” the Palo Alto experts said in a blog post, “a uniquely generated CID and VID, a link to the Tor negotiation, [and] an email address to contact.”

The note also warns that the rescue will be more expensive the more time passes.

“Don’t waste your time,” the note said, “the decryption price increases every hour.”

Unit 42 also notes that Trigona operators may have previously been using CryLock ransomware. The malware packages share similar AES encryption, use similar phrases in their ransom notes, and both leave HTML-based ransom notes.

While Trigona’s operators are not identified at this time, they appear to be Russian speakers. Some of the malware code is written in Cyrillic and some of the remote commands use the password “Boris.”

In fact, password protected encryption appears to be another unique and dangerous tactic.

“We hope that shedding light on Trigona and its unusual technique of using password-protected executables to obfuscate malware will help defenders better protect their organizations against this threat,” Unit 42 concluded.

Leave a Reply

Your email address will not be published. Required fields are marked *