Trigona Ransomware Disection

Researchers have discovered a new ransomware family that has been highly active over the past several months.

The threat actor known to be Trigona, targets organizations in agriculture, construction, finance, high tech, manufacturing, and marketing in Australia, Italy, France, Germany, New Zealand, and the United States.

Trigona stands out peculiar from other file-encrypting ransomware out there is the use of a .hta ransomware note that contains JavaScript code to display payment instructions to the victim that contains unique victim identifiers, a link to a Tor portal to negotiate with the attackers, and an email address.

Trigona ransomware uses a Delphi AES library to encrypt files and appends the ‘_locked’ extension to them. The malware achieves persistence for itself and the dropped ransom note by modifying registry keys.

Trigona’s operators have been observed compromising a target’s network, performing reconnaissance, employing remote monitoring and management (RMM) software to download malware, creating new user accounts, and executing the ransomware.

Some of the tools observed in Trigona attacks

• NetScan (for reconnaissance)
• Start.bat batch script (copies files to a newly created folder)
• Turnoff.bat (a cleanup script)
• Newuser.bat (creates a new user account)
• Mimikatz, DC4.exe (executes a batch file to disable UAC, opens specific firewall ports, and enables remote desktop connections)
• Advanced Port Scanner.

The ransomware operators also use a leak site to list the victims. This leak site resembles BlackCat ransomware, which suggests that Trigona might be leveraging BlackCat’s reputation to extort victims.

Researchers identified similarities with the TTPs associated with CryLock ransomware, which suggests that CryLock’s operators might have moved on to the new ransomware family.

Trigona is a newer strain of ransomware that, to date, has had minimal coverage by security news articles. This lack of security community awareness allows Trigona to discreetly attack victims while other higher-profile ransomware operations dominate the news headlines.

This research is documented by researchers from Palo Alto Unit42 and Fortinet.

Indicators of Compromise

• bef87e4d9fcaed0d8b53bce84ff5c5a70a8a30542100ca6d7822cbc8b76fef13 svhost.exe (Ransomware Binary)
• 853909af98031c125a351dad804317c323599233e9b14b79ae03f9de572b014e Splashtop
• 24123421dd5b78b79abca07bf2dac683e574bf9463046a1d6f84d1177c55f5e5 Netscan
• 4724EE7274C31C8D418904EE7E600D92680A54FECDAC28606B1D73A28ECB0B1E Netscan
• e22008893c91cf5bfe9f0f41e5c9cdafae178c0558728e9dfabfc11c34769936 Netscan
• 8d069455c913b1b2047026ef290a664cef2a2e14cbf1c40dce6248bd31ab0067 Netscan
• 544a4621cba59f3cc2aeb3fe34c2ee4522593377232cd9f78addfe537e988ddc start.bat
• a15c7b264121a7c202c74184365ca13b561fb303fb8699299039a59ab376adc6 turnoff.bat
• b7fba3abee8fd3bdac2d05c47ab75fdaa0796722451bed974fb72e442ab4fefd newuser.bat
• e5cf252041045b037b9a358f5412ae004423ad23eac17f3b03ebef7c8147a3bb Mimikatz
• 5603d4035201a9e6d0e130c561bdb91f44d8f21192c8e2842def4649333757ab Mimikatz
• 69f245dc5e505d2876e2f2eec87fa565c707e7c391845fa8989c14acabc2d3f6 Mimikatz
• phandaledr@onionmail[.]org Ransom note contact email
• farusbig@tutanota[.]com Ransom note contact email
• how_to_decrypt.hta Ransom note name
• 94979b61bba5685d038b4d66dd5e4e0ced1bba4c41ac253104a210dd517581b8 DC2.exe
• 9c8a4159166062333f2f74dd9d3489708c35b824986b73697d5c34869b2f7853 DC4.exe
• c5d09435d428695ce41526b390c17557973ee9e7e1cf6ca451e5c0ae443470ca DC6.exe
• 3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad[.]onion Trigona TOR negotiation portal
• 45.227.253[.]99 IP address associated with Trigona activity
• 45.227.253[.]106 IP address currently hosting Trigona leak site
• 45.227.253[.]98 IP address associated with Trigona activity
• 45.227.253[.]107 IP address associated with Trigona activity