Professional Documents
Culture Documents
Executive Summary
Executive Summary
This report presents the static analysis of the Trigona ransomware, a newly discovered
strain that emerged in late October 2022. Our analysis is based on Trigona ransomware
binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42
incident response. Trigona has been highly active during December 2022, impacting at
least 15 potential victims across various industries, including manufacturing, finance,
construction, agriculture, marketing, and high technology.
Unique Characteristics: Trigona's ransom notes stand out from typical text files, as they
are presented as HTML Applications with embedded JavaScript. These ransom notes
contain unique computer IDs (CID) and victim IDs (VID).
Ransomware Behavior: Upon execution, Trigona uses the TDCP_rijndael library, a Delphi
AES implementation, to encrypt files on the victim's system. The ransomware appends
the ._locked file extension to encrypted files and modifies registry keys to maintain
persistence.
Lateral movement is achieved using various tools, including the legitimate remote
access tool Splashtop. This tool is misused to drop additional malicious tools onto
compromised machines, facilitating further movement within the network.
Network Scanner and Advanced Port Scanner: Trigona utilizes Network Scanner and
Advanced Port Scanner to identify network connections, presumably to map the
network's architecture and identify potential targets for lateral movement and further
exploitation.
CLR Shell on MS-SQL Servers: Based on AhnLab's analysis, Trigona's operators employ
CLR shell when attacking MS-SQL servers. This tool grants them multiple commands,
including one to drop additional executables for privilege escalation (nt.exe), allowing
the threat actors to escalate their privileges on the compromised servers.
File Encryption: Trigona encrypts files on infected machines using AES encryption. The
ransomware contains an encrypted configuration in its resource section, decrypted upon
execution. However, it selectively uses certain strings from its configuration. Additionally,
Trigona randomizes the file names of encrypted files and appends the ._locked
extension upon encryption.
Mimikatz for Credential Dumping: To gather passwords and credentials from victim
machines, Trigona's operators utilize the credential dumper Mimikatz. This tool allows
them to extract sensitive information, such as usernames, passwords, hashes, and
Kerberos tickets from a Windows operating system.