Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Solutions

Compliance
Security
Privacy
SISA One Platform
Why SISA
SISA Institute
Resources
Company
Login
India
Email Subscriptions
All Menu

SOLUTION

COMPLIANCE

Payment Security
PCI DSS Compliance
PCI PIN
PCI 3D Secure (3DS)
PCI P2PE Compliance
PCI S3
PCI S-SLC
PCI MPoC
SWIFT
Strategy & Risk
HIPAA
ISO Management System Services
NIST
SOC Compliance
HITRUST Certification
Information Security Risk Assessment
CSA STAR Assessment & Certification
Crisis Management Exercise
Indian Regulatory Cybersecurity Audit & Assurance Services
Managed Compliance
Unified Audits

SOLUTION

SECURITY

Security Testing
Application Security Testing
Infrastructure & Network Security
Cloud & Container Security
IoT Security Testing
Adversary-Led Ransomware Simulation
Red Teaming
Digital Forensics & IR (DFIR)
Payment Forensics Investigation
Internal Forensic Investigation
Breach and Attack Simulation
Acquirer Led Investigation
Breach and Attack Simulation
Compromise Assessment
Cloud Forensics
DFIR Retainer Services
PRISM
Prism Observe
Prism Discovery
Prism Secure
Prism Strike
ProACT Agentic SOC
Quantum Security

SOLUTION

PRIVACY

Data Protection and Governance
Data Discovery and Classification Tool
Data Privacy Consulting Services
DPDPA (India) Compliance Consulting
GDPR

SISA INSTITUTE

Training & Workshops
Quantum Security
Artificial Intelligence
Get Certified
Apply for Certifications
Advisory Groups
Certification Policies
Certification Support
Workshop Calendar
Training and Certification Store

COMPANY

About Us
Our Leadership
Why SISA

RESOURCES

Case Studies
Our Leadership
White Papers
Blogs
Insights
Compliance
Security
Privacy
All Menu

SOLUTION

COMPLIANCE

Payment Security
PCI DSS Compliance
PCI PIN
PCI 3D Secure (3DS)
PCI P2PE Compliance
PCI S3
PCI S-SLC
PCI MPoC
SWIFT
Strategy & Risk
HIPAA
ISO Management System Services
NIST
SOC Compliance
HITRUST Certification
Information Security Risk Assessment
CSA STAR Assessment & Certification
Crisis Management Exercise
Indian Regulatory Cybersecurity Audit & Assurance Services
Managed Compliance
Unified Audits

SOLUTION

SECURITY

Security Testing
Application Security Testing
Infrastructure & Network Security
Cloud & Container Security
IoT Security Testing
Adversary-Led Ransomware Simulation
Red Teaming
Digital Forensics & IR (DFIR)
Payment Forensics Investigation
Internal Forensic Investigation
Breach and Attack Simulation
Acquirer Led Investigation
Breach and Attack Simulation
Compromise Assessment
Cloud Forensics
Retainer Services
PRISM
Prism Observe
Prism Discovery
Prism Secure
Prism Strike
ProACT Agentic SOC
Quantum Security

SOLUTION

PRIVACY

Data Protection and Governance
Data Discovery and Classification Tool
Data Privacy Consulting Services
DPDPA (India) Compliance Consulting
GDPR
Monthly Threat Breif
May 12, 2023
2
MIN READ
Trigona Ransomware: Hackers target MS-SQL servers for double extortion attacks

Share this post

TABLE OF CONTENT

TABLE OF CONTENT

Trigona ransomware, first discovered in October 2022, claims to undertake double extortion attacks by combining data exfiltration with file encryption and is known for only accepting Monero cryptocurrency ransom payments from victims globally. Since the beginning of the year 2023, the Trigona ransomware gang has been responsible for a steady stream of attacks, with at least 190 submissions to the ID Ransomware platform. Trigona encrypts all files on victims' devices except some specific folders including Windows and Program Files. Prior to encryption, the gang claims to have stolen sensitive documents that would be uploaded to its dark web leak site.

Attackers were also spotted hacking into poorly secured and vulnerable Microsoft SQL (MS-SQL) servers in order to drop Trigona ransomware payloads and encrypt all files, according to security analysts. The MS-SQL servers were being hacked using brute-force or dictionary attacks that exploited easy-to-guess account credentials.

Before deploying Trigona, it is assumed that the threat actor first installs the CLR SqlShell malware to elevate privileges and perform different malicious actions. The malware is used to collect system information, change the configuration of the compromised account, and escalate privileges to LocalSystem by exploiting a vulnerability in the Windows Secondary Logon Service (which is required to execute the ransomware as a service).

The attackers then install and run a dropper malware called svcservice.exe, which they employ to launch the Trigona ransomware as svchost.exe. Furthermore, the ransomware renames encrypted files with the ._locked extension and embeds the encrypted decryption key, campaign ID, and victim ID (company name) in each locked file.

Trigona ransomware has been linked to compromises affecting a wide range of enterprises around the world, including those in manufacturing, finance, construction, agriculture, marketing, and high technology. The companies impacted were located in the United States, Italy, France, Germany, Australia, and New Zealand.

References:

  • https://www.bleepingcomputer.com/news/security/spanish-police-dismantle-phishing-operation-linked-to-crime-ring/
  • https://www.scmagazine.com/brief/ransomware/microsoft-sql-servers-subjected-to-trigona-ransomware-attacks
  • https://www.securityweek.com/new-trigona-ransomware-targets-us-europe-australia/

Related Articles

SHARE THIS POST

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript