iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Security researchers have identified a new strain of ransomware in operation and that it is undergoing active development in the wild.
The ransomware — named Trigona, after a species of bee — has been in operation since at least October 2022, when it was first spotted. It then hit peak operation in December, impacting businesses in a range of industries, from finance to construction, as well as agriculture and marketing.
The ransomware operators behind Trigona have a global reach, targeting businesses in Australia, New Zealand, the United States, Italy, France, and Germany.
However, it also appears that Trigona is still being refined by its operators. While Trigona’s ransom notes do not threaten to leak data, the operators of the ransomware have been seen to post to a leak site on the surface web — but using details copied from another leak site. According to Palo Alto’s Unit 42, this could suggest a testing phase of leak functionality before moving the site to the dark web.
That leak site has since been taken down.
Trigona’s operators also use a unique HTML ransom note, coded in javascript with embedded links and even a link to a help page.
“Unit 42 researchers observed that the JavaScript within the ransom note contains the following information,” Palo Alto’s experts said in a blog post, “a uniquely generated CID and VID, a link to the negotiation Tor portal, [and] an email address to contact”.
The note also warns that the ransom will get more expensive the more time passes.
“Don’t waste time,” the note read, “decryption price increases every hour”.
Unit 42 also notes that Trigona’s operators may have been previously using the CryLock ransomware. The malware suites share similar AES encryption, use similar phrases in their ransom notes, and both leave HTML-based ransom notes.
While the operators of Trigona are so far unidentified, they do appear to be Russian speakers. Part of the malware’s code is written in Cyrillic, and some of the remote commands use the password “Boris”.
In fact, password-protected coding seems to be another unique and dangerous tactic.
“We hope that shining a light on Trigona and its uncommon technique of using password-protected executables to obfuscate malware helps defenders better protect their organisations against this threat,” Unit 42 concluded.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
