Trigona

1. Overview

Trigona is a double extortion ransomware group that emerged publicly in late 2022, and quickly gained attention for its aggressive enterprise targeting, database-specific encryption techniques, and rapid tooling evolution. Trigona combines file encryption with data exfiltration, threatening public release of stolen information via its dark web leak site.

Though less widely known than groups like LockBit or Cl0p, Trigona has proven technically capable, tactically agile, and increasingly active across Europe, North America, and the Asia-Pacific region. The group has targeted organisations in finance, manufacturing, healthcare, legal services, and government, including several victims in the UK.

2. Origin and Evolution

Trigona was first identified in October 2022, but early samples suggest limited testing and smaller-scale attacks began in mid-2022. The group has been observed iterating its payloads quickly, with significant enhancements to obfuscation, persistence, and encryption mechanisms throughout 2023.

Trigona deploys its ransomware with multi-threaded encryption, often targeting Microsoft SQL Server databases explicitly—a rare capability that makes it uniquely disruptive to transactional systems. Its ransom notes link to a TOR-based negotiation portal, and each victim receives a customised ransom amount, typically tied to perceived revenue or data sensitivity.

3. Tactics, Techniques, and Procedures (TTPs)

Trigona exhibits a mature attack methodology with the following characteristics:

• Initial Access:
  Exploitation of vulnerabilities in web applications and RDP services (T1190), credential compromise via brute force or reuse (T1078), and phishing emails (T1566.001).
• Privilege Escalation & Lateral Movement:
  Uses PsExec, RDP, and PowerShell for movement and deployment (T1021). Observed use of Mimikatz for credential harvesting (T1003).
• Data Exfiltration:
  Files are staged and exfiltrated using Rclone, WinSCP, or custom PowerShell SFTP scripts (T1041), targeting contracts, finance data, emails, and customer information.
• Encryption:
  Employs multi-threaded AES encryption. Notably, Trigona targets SQL database files (.mdf, .ldf) during execution. Encrypted files are appended with .locked or .trigona.
• Persistence & Evasion:
  Uses scheduled tasks and registry changes (T1112) for persistence. Deletes shadow copies (T1490) and disables Windows Defender prior to execution.

4. Targeting Profile

Trigona’s targeting is opportunistic yet selective, focused on:

• Financial services and fintech startups
• Healthcare and private medical providers
• Law firms and professional services
• Manufacturing and engineering firms
• Public sector organisations in emerging markets

UK organisations—especially those lacking EDR coverage or segmentation of production databases—have already been observed among the group’s victims.

5. Notable Campaigns and Victims

Although Trigona operates with limited media attention, several confirmed campaigns include:

• A UK-based legal consultancy, with legal files and contract data encrypted and leaked
• A European hospital network, affecting patient billing systems and care portals
• A US-based construction firm, with procurement and financial data stolen and published
• An ASEAN logistics provider, where SQL databases and ERP systems were encrypted, disrupting operations

Ransom demands range from £100,000 to over £2 million, scaled by company size and sensitivity of the data stolen.

6. Ransomware and Leak Site Behaviour

Trigona maintains an active dark web leak site, updated regularly with:

1. Organisation name and sector
2. Sample files (e.g., NDAs, payroll records, passport scans)
3. Data breach dates and file volumes
4. Countdown timers to full leak release
5. Links to victim-specific negotiation portals

The group typically initiates communication via TOR-based messaging platforms and will offer “proof of breach” by releasing partial file trees or archives.

7. Technical Indicators

Common IOCs associated with Trigona include:

• File extensions: .locked, .trigona
• Ransom notes titled how_to_decrypt.txt or readme.txt
• Use of rclone.exe, 7z.exe, WinSCP.exe
• SQL database encryption signatures (targeting .mdf and .ldf files)
• Scheduled tasks with names like TrigonaTask, DataRunner, or SyncHelper

YARA rules and IOC packs are maintained by UK Cyber Defence Ltd and made available to subscribed clients.

8. Defensive Measures and Recommendations

To reduce risk from Trigona ransomware:

• Segment and secure critical databases and backup infrastructure
• Patch public-facing services and enforce MFA on remote access tools
• Monitor for unusual SQL file access, especially bulk reads or write locks
• Use EDR/XDR tools with script-blocking and behavioural analytics
• Audit PowerShell usage, particularly scripts executing compression or upload operations
• Maintain offline, immutable backups of core databases and sensitive assets

9. Attribution and Alliances

While attribution remains speculative, Trigona’s code and deployment methods suggest links to Eastern European cybercriminal ecosystems, possibly involving operators previously active in HelloKitty or Hive campaigns.

The group operates as a closed RaaS model with no public affiliate recruitment. Access may be brokered via Initial Access Brokers (IABs) or limited private partnerships.

10. Conclusion

Trigona is a growing ransomware threat with custom tooling, targeted encryption of SQL databases, and aggressive double extortion tactics. For UK organisations—especially those managing unsegmented financial or legal data infrastructure—Trigona presents a serious and evolving risk.

Defending against this threat requires strong endpoint visibility, data access monitoring, and a focus on reducing lateral movement and outbound exfiltration.

Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025