Executive Summary:

This report presents the static analysis of the Trigona ransomware, a newly discovered
strain that emerged in late October 2022. Our analysis is based on Trigona ransomware
binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42
incident response. Trigona has been highly active during December 2022, impacting at
least 15 potential victims across various industries, including manufacturing, finance,
construction, agriculture, marketing, and high technology.

Unique Characteristics: Trigona's ransom notes stand out from typical text files, as they
are presented as HTML Applications with embedded JavaScript. These ransom notes
contain unique computer IDs (CID) and victim IDs (VID).

Ransomware Behavior: Upon execution, Trigona uses the TDCP_rijndael library, a Delphi
AES implementation, to encrypt files on the victim's system. The ransomware appends
the ._locked file extension to encrypted files and modifies registry keys to maintain
persistence.

Persistence Mechanisms: Trigona achieves persistence by creating two keys in

CurrentVersion\Run. The first key executes the ransomware binary upon user login,
ensuring that the encryption process resumes after a system reboot. The second key
opens the ransom note every time the user logs in.

Ransom Note Details: Trigona's ransom note, named how_to_decrypt.hta, is delivered to

the infected system. The HTML code within this file contains embedded JavaScript that
displays the ransom note details. These details include a uniquely generated CID and
VID, a link to the negotiation Tor portal, and an email address for victims to contact the
ransomware operators.

Contact Email: The contact email shown in the ransom note is

phandaledr@onionmail[.]org. In other Trigona ransom notes, the contact email
farusbig@tutanota[.]com has been observed.

Conclusion: Trigona ransomware presents a serious threat to organizations across

various industries. Its unique ransom note format, use of embedded JavaScript, and
persistent behavior make it challenging to combat. Organizations should implement
proactive security measures to defend against Trigona and other similar ransomware
strains. Additionally, monitoring and intelligence sharing can help identify new
developments and strategies used by the ransomware operators.
Thank you for providing additional information about Trigona ransomware. Let's
continue incorporating this data into the report:
Trigona's Initial Access and Lateral Movement: Trigona gains initial access to target
systems by exploiting the ManageEngine vulnerability CVE-2021-40539, as reported by
Arete. Additionally, the threat actors leverage previously compromised accounts
acquired from network access brokers to further infiltrate the network.

Lateral movement is achieved using various tools, including the legitimate remote
access tool Splashtop. This tool is misused to drop additional malicious tools onto
compromised machines, facilitating further movement within the network.

Trojan.BAT.TASKILL.AE (turnoff.bat): Trigona drops a file named turnoff.bat (detected as

Trojan.BAT.TASKILL.AE), which is used to terminate antivirus-related services and
processes, potentially disabling security measures on the infected machine.

Network Scanner and Advanced Port Scanner: Trigona utilizes Network Scanner and
Advanced Port Scanner to identify network connections, presumably to map the
network's architecture and identify potential targets for lateral movement and further
exploitation.

CLR Shell on MS-SQL Servers: Based on AhnLab's analysis, Trigona's operators employ
CLR shell when attacking MS-SQL servers. This tool grants them multiple commands,
including one to drop additional executables for privilege escalation (nt.exe), allowing
the threat actors to escalate their privileges on the compromised servers.

File Encryption: Trigona encrypts files on infected machines using AES encryption. The
ransomware contains an encrypted configuration in its resource section, decrypted upon
execution. However, it selectively uses certain strings from its configuration. Additionally,
Trigona randomizes the file names of encrypted files and appends the ._locked
extension upon encryption.

Mimikatz for Credential Dumping: To gather passwords and credentials from victim
machines, Trigona's operators utilize the credential dumper Mimikatz. This tool allows
them to extract sensitive information, such as usernames, passwords, hashes, and
Kerberos tickets from a Windows operating system.

Conclusion: Trigona ransomware employs sophisticated techniques for initial access,

lateral movement, privilege escalation, and file encryption. The threat actors take
advantage of vulnerabilities like CVE-2021-40539 and legitimate tools, such as
Splashtop, to facilitate their malicious activities. Furthermore, the use of Mimikatz
demonstrates their intent to gather sensitive information for potential future attacks or
leveraging in the negotiation process during ransomware incidents.
Organizations must stay vigilant against emerging threats like Trigona and implement
robust cybersecurity measures, such as promptly patching vulnerabilities and using
multi-layered security solutions, to protect against ransomware attacks. Additionally,
regular security awareness training for employees can help prevent social engineering
and phishing attacks, reducing the likelihood of initial access by threat actors.