Wednesday, April 30, 2025
HomeCyber Security NewsBeware of New Trigona Ransomware Attacking Finance and Marketing Industries

Beware of New Trigona Ransomware Attacking Finance and Marketing Industries

Published on

SIEM as a Service

Follow Us on Google News

The relatively new Trigona ransomware strain, according to Unit 42 researchers, was particularly active in December 2022, targeting industries in the manufacturing, finance, construction, agriculture, marketing, and high technology industries.

“Trigona’s threat operator engaging in behavior such as obtaining initial access to a target’s environment, conducting reconnaissance, transferring malware via remote monitoring and management (RMM) software, creating new user accounts and deploying ransomware,” Unit 42 researchers.

Companies in the United States, Australia, New Zealand, Italy, France, and Germany were affected.

- Advertisement - Google News

Specifics of the Trigona Ransomware

From the recent analysis, researchers say that unique computer IDs (CIDs) and victim IDs are included in Trigona’s ransom notes, which are presented via an HTML application with embedded JavaScript rather than the typical text file (VID).

Image 1 is a screenshot of a sample Trigona ransom note that tells a business its network is encrypted, the three steps of instructions for data recovery, and tips to make the price cheaper. There is also a “Need help?” link.
Sample Trigona ransom note

The ransom note’s JavaScript contains the following details:

  • A uniquely generated CID and VID
  • A link to the negotiation Tor portal
  • An email address to contact.

At least 15 possible victims who were compromised in December 2022 may be found, according to experts. Also, in January 2023 and February 2023, they discovered two new Trigona ransom notes.

There was no proof that Trigona was using a leak site for double extortion when it was originally discovered. The victims were sent to their negotiating portal by their ransom message instead. A researcher identified a leak site attributable to Trigona hosted on a specific IP address.

Image 3 is a screenshot of the Trigona leak site. It details current leaks, views, if the leak is active, and a counter showing how much time is left. Details including screenshots are available, as well as the ransom amounts. There is a green button to place a bid.
Trigona leak site

Additionally, tactics, techniques, and procedures (TTPs) used by Trigona operators and CryLock ransomware operators coincide, indicating that the threat actors who previously used CryLock ransomware may have switched to using Trigona ransomware.

Image 5 is a screenshot of the Russian antimalware forum SafeZone where someone has posted asking for help with Crylock. Highlighted in red is an email address.
A user on SafeZone, a Russian anti-malware forum, seeking help for Crylock ransomware

Both ransomware families drop ransom notes in HTML Application format, and the ransom message is similar, including:

  • Their claim that all “documents, databases, backups, and other critical” files and data were encrypted
  • AES is their choice of cryptographic algorithm
  • Their statement that “the price depends on how soon you will contact us.”

Hence, by unveiling Trigona and its unusual method of obfuscating malware utilizing password-protected executables, defenders can better defend their organizations against this threat.

Network Security Checklist – Download Free E-Book

Related Read

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...