An Overview of the Different Versions of the Trigona Ransomware

To pressure victims into paying the ransom, the Trigona leak site contains a countdown timer and bidding options for parties interested in acquiring access to the leaked data. The attackers provide each victim with an authorization key that they can use to register on the negotiation portal provided by Trigona.

The Trigona ransomware group employs a double extortion scheme. In addition to the main leak site which displays the list of victim companies, Trigona's operators also use a Tor site where victims can communicate with the threat actor group to negotiate for the decryption tool. Interestingly, they also flag those victims that have already paid.

The report from Palo Alto revealed t an IP address hosting the leak site under the name "Trigona Leaks" and using port 8000. Additionally, another IP address titled "Leaks" was uncovered, which also employed port 8000 and shared the same IP range as the previously mentioned leak site-connected IP address.

During our investigation, we found another IP address on June 3 that was still active at the time of writing. This IP address, which uses port 3000 and the title Blog, is within the IP range of the previous addresses. We surmise that the threat actor relocates some of its infrastructure when their IP address is exposed. Using this third leak site, we were able to find their file storage site (aeey7hxzgl6zowiwhteo5xjbf6sb36tkbn5hptykgmbsjrbiygv4c4id[.]onion). This site hosts critical data stolen from victims such as documents, contracts, and other large amounts of data.

The Trigona ransomware group has poor operational security when it comes to the implementation of Tor sites - although their aim of targeting poorly-managed SQL servers is not something we usually see with less technically-proficient threat actors. Our ransomware spotlight on TargetCompany shows another group using a similar technique of targeting SQL servers.