Skip to content
Detecteam
  • CompanyExpand
    • Founders Story
    • The Team
  • ProductExpand
    • About Us
  • SolutionsExpand
    • Use Cases
  • ResourcesExpand
    • Detecteam Blogs
    • Contact Us
Twitter Linkedin
Detecteam
Blog · Scenario

The Trigona ransomware

Avatar photoByDetecteam 2023-10-112023-10-11

TLP

TLP CLEAR

Author

Jordi M. Lobo

Summary

The Trigona ransomware, emerging in late 2022, has rapidly evolved with continuous updates. By April 2023, it started targeting MSSQL servers through brute force methods. This threat is linked to the CryLock ransomware group and possibly ALPHV (BlackCat), though their involvement remains uncertain. The US and India are the most affected countries, with technology and healthcare sectors facing the brunt.

Trigona exploits the CVE-2021-40539 vulnerability and deploys various tools for lateral movement, including Splashtop. It employs Mimikatz to gather victim passwords and uses AES encryption for file locking. A Linux version has surfaced, while a 64-bit Windows variant introduced new command-line options.

The ransomware employs a double extortion scheme, pressuring victims to pay by threatening data leaks. Enhanced security measures, including MFA, data backups, and prompt system patching, are recommended to combat this growing threat.

TIMELINE

DATA

We are providing data for attacks weekly hoping to contribute raising awareness to threats from their data.

cs_ProcessRollup2.json_Download

CATEGORY

Ransomware

references

  • https://asec.ahnlab.com/en/51343/
  • https://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html
  • https://unit42.paloaltonetworks.com/trigona-ransomware-update/

MITRE ATT&CK

Post Tags: #T1003.001 - LSASS Memory#T1021.001 - Remote Desktop Protocol#T1027 - Obfuscated Files or Information#T1036.004 - Masquerading as Legitimate Application#T1046 - Network Service Discovery#T1069 - Permission Groups Discovery#T1070.001 - Clear Windows Event Logs#T1070.004 - File Deletion#T1072 - Software Deployment Tools#T1098 - Account Manipulation#T1105 - Ingress Tool Transfer#T1112 - Modify Registry#T1136 - Create Account#T1219 - Remote Access Software#T1486 - Data Encrypted for Impact#T1489 - Service Stop#T1490 - Inhibit System Recovery#T1546.008 - Accessibility Features#T1555 - Credentials from Password Stores#T1562.004 - Disable or Modify System Firewall#T1570 - Lateral Tool Transfer
Avatar photo
Detecteam
X

Detecteam is transforming cybersecurity detection from static rule-writing to autonomous, continuous validation. Our REFLEX platform automates the detection lifecycle—building, testing, validating and deploying detections in minutes, not months. We help enterprises maximize ROI on existing tools, close high-risk detection gaps faster, and scale security outcomes without scaling headcount. This is the future of detection-as-code, and we’re leading it.

CONTACT US

Detecteam Inc.
300 Lenora Street PMB 659
Seattle, WA 98121 USA
+1 (650) 542-0831
sales@detecteam.com

  • Privacy Policy

SOCIAL MEDIA

Twitter Linkedin
OUR NEWSLETTER

Check your inbox or spam to confirm your subscription.

© 2025 Detecteam Inc. All Rights Reserved.

  • Company
    • Founders Story
    • The Team
  • Product
    • About Us
  • Solutions
    • Use Cases
  • Resources
    • Detecteam Blogs
    • Contact Us
Search