The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Trigonia Ransomware

Mar 31, 2023 2:10:27 PM / by The Hivemind

TRIGONIARelated Families: CryLock
Verticals Targeted: Manufacturing, Finance, Construction, Agriculture, Marketing, Technology

Executive Summary

Trigonia ransomware was first seen in the wild in late 2022. It is a Windows binary that uses a Delphi AES library for encryption and appends ._locked to encrypted files.

Key Takeaways

  • Palo Alto’s Unit 42 recently reported on Trigonia ransomware, which was first seen in the wild in late 2022. 
  • The ransomware has targeted multiple verticals, including manufacturing, finance, construction, agriculture, marketing, and technology. 
  • Trigonia uses a Delphi AES library for encryption and appends ._locked to encrypted files.

What is Trigonia?

Palo Alto’s Unit 42 recently reported on Trigonia ransomware, which was first seen in the wild in late 2022. Trigonia is the name of a variety of stingless bees. The ransomware has targeted multiple verticals, including manufacturing, finance, construction, agriculture, marketing, and technology. Victim locations include the US, Italy, France, Germany, Australia, and New Zealand.

Unit 42 has observed Trigonia’s threat actors obtaining initial access to a victim’s environment, performing reconnaissance, using remote monitoring and management (RMM) software to transfer malware, creating new user accounts, and deploying the ransomware.

Trigonia is a Windows binary. It uses a Delphi AES library for encryption and appends ._locked to encrypted files. It modifies registry keys to maintain persistence. Following encryption, Trigonia drops a ransom note.

It is interesting to note that Trigonia’s ransom note is presented as an HTML application with embedded JavaScript. The JavaScript contains user computer IDs and victim IDs. The ransom note warns victims their files and backups have been encrypted using a secure AES algorithm and directs them to a Tor portal for negotiation. The threat actors state the decryption price will increase every hour and threaten to auction off victim data if the ransom is not paid. The threat actors behind Trigonia have a leak site that lists the name of a victim, the company’s description and ZoomInfo page, a description of data stolen, links to screenshots of stolen files, a countdown timer, and a button to bid for data.

Unit 42 researchers noted similarities and TTP overlap between Trigonia and CryLock ransomware. Similarities noted include the use of HTML application ransom notes, the wording of the ransom message, and the use of AES encryption.

IOCs

PolySwarm has multiple samples of Trigonia.

853909af98031c125a351dad804317c323599233e9b14b79ae03f9de572b014e
24123421dd5b78b79abca07bf2dac683e574bf9463046a1d6f84d1177c55f5e5
4724EE7274C31C8D418904EE7E600D92680A54FECDAC28606B1D73A28ECB0B1E

You can use the following CLI command to search for all Trigonia samples in our portal:

$ polyswarm link list -f Trigonia

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports


Topics: Threat Bulletin, Ransomware, Trigonia, crylock

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts