Summary

The Trigona ransomware, emerging in late 2022, has rapidly evolved with continuous updates. By April 2023, it started targeting MSSQL servers through brute force methods. This threat is linked to the CryLock ransomware group and possibly ALPHV (BlackCat), though their involvement remains uncertain. The US and India are the most affected countries, with technology and healthcare sectors facing the brunt.

Trigona exploits the CVE-2021-40539 vulnerability and deploys various tools for lateral movement, including Splashtop. It employs Mimikatz to gather victim passwords and uses AES encryption for file locking. A Linux version has surfaced, while a 64-bit Windows variant introduced new command-line options.

The ransomware employs a double extortion scheme, pressuring victims to pay by threatening data leaks. Enhanced security measures, including MFA, data backups, and prompt system patching, are recommended to combat this growing threat.