Trigona

Malware Profile Updated 5 days ago
Download STIX
Preview STIX
Trigona, a malware identified in 2022, emerged as a significant ransomware threat. This malicious software, designed to exploit and damage computer systems, infected devices through suspicious downloads, emails, or websites. The malware was particularly notorious for targeting Microsoft SQL servers, and was used by various ransomware operations including AvosLocker, MedusaLocker, BlackCat, and LockBit. In 2023, Trigona became a noteworthy departure from typical ransomware due to its unique characteristics and tactics. The demise of Trigona was not brought about by law enforcement but rather by the actions of a hacktivist group known as the Ukrainian Cyber Alliance. The group managed to exploit a critical vulnerability in Confluence and used a zero-day exploit to access Trigona's infrastructure. They successfully exfiltrated and wiped out the servers of the Trigona ransomware gang, erasing all of its data. This action led to the effective end of the Trigona ransomware operation. This unprecedented event underscores the evolving landscape of cybersecurity threats and the potential role of hacktivist groups in combating them. As Trigona was linked with other ransomware strains such as ALPHV, Akira, CL0P, Hive, LockBit 3.0, Play, Ransomed, Royal, ThreeAM, and Vice Society, its downfall may have broader implications for the ongoing fight against cybercrime. It also highlights the importance of vigilance and robust cybersecurity measures for organizations, given the continuous emergence of new and sophisticated ransomware threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Alphv
5
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
Crylock
4
CryLock is a form of malware, specifically ransomware, known for its capability to infiltrate systems and hold data hostage for ransom. This malicious software can infect systems through suspicious downloads, emails, or websites, often without the knowledge of the user. Once inside, CryLock can disr
Blackmatter
2
BlackMatter is a recognized threat actor in the cybersecurity industry, notorious for its malicious activities and the execution of ransomware attacks. The group initially operated as DarkSide, responsible for the high-profile Colonial Pipeline attack in May 2021, which led to significant attention
svchost.exe
2
Svchost.exe is a malware that exploits and damages computer systems by injecting malicious code into various processes. This harmful program can infiltrate your system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, di
Akira
2
Akira is a malicious software, or malware, specifically a type of ransomware known for its disruptive and damaging effects. First surfacing in late 2023, it has continued to wreak havoc on various entities, including corporations and industries. This ransomware infects systems through suspicious dow
Vice Society
1
Vice Society, a threat actor group known for its malicious activities, has been linked to a series of ransomware attacks targeting various sectors, most notably education and healthcare. Throughout 2022 and the first half of 2023, Vice Society, along with Royal Ransomware, were actively executing mu
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Ransom
Extortion
Windows
Vulnerability
Exploit
Malware
Confluence
Manageengine
Data Leak
exploitation
Encryption
Linux
Encrypt
T1486
T1485
T1135
Macos
Fortiguard
Sql
Rat
Reconnaissance
Rmm
Remcos
Tool
Ukrainian
Locker
T1140
t1218.005
Proxy
t1036.005
T1083
T1033
T1529
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
REvilUnspecified
2
REvil is a notorious form of malware, specifically ransomware, that infiltrates systems to disrupt operations and steal data. The ransomware operates on a Ransomware as a Service (RaaS) model, which gained traction in 2020. In this model, REvil, like other first-stage malware such as Dridex and Goot
LockbitUnspecified
2
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
ClopUnspecified
1
Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
CactusUnspecified
1
Cactus is a type of malware, specifically ransomware, that has been implicated in several high-profile cyber-attacks. This malicious software infiltrates systems through deceptive methods such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Cactus c
AvosLockerUnspecified
1
AvosLocker is a type of malware, specifically a ransomware, that has been causing significant issues across the digital landscape. Ransomware is a form of malicious software designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without
MedusaLockerUnspecified
1
MedusaLocker, first observed in September 2019, is a potent ransomware variant that primarily targets Windows machines through spam. This malware should not be confused with Medusa, a Ransomware-as-a-Service (RaaS) platform active since late 2022. MedusaLocker has been utilized by various ransomware
Ragnar LockerUnspecified
1
Ragnar Locker is a type of malware, specifically a ransomware, that has been designed to infiltrate computer systems, often without the user's knowledge. It can enter systems through suspicious downloads, emails, or websites and once inside, it has the capability to steal personal information, disru
MalloxUnspecified
1
Mallox, also known as Fargo and Tohnichi, is a sophisticated malware that first surfaced in June 2021. This ransomware infiltrates systems primarily via SQL servers and has been observed to be particularly active in Taiwan, India, Thailand, and South Korea. It employs various variants that append di
RagnarlockerUnspecified
1
RagnarLocker is a type of malware, specifically ransomware, which first emerged in 2021. It is designed to infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostag
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DarkSideUnspecified
2
DarkSide is a notable threat actor that emerged in the cybersecurity landscape with its advanced ransomware operations. In 2021, the group gained significant attention for its attack on the United States' largest oil pipeline, Colonial Pipeline, causing a temporary halt to all operations for three d
Alphv GroupUnspecified
2
The ALPHV group, also known as BlackCat, is a threat actor that has been active in the cybersecurity landscape. In 2023, the group was significantly impacted by law enforcement actions. Notably, they claimed responsibility for a major hack against Clarion, a global manufacturer of audio and video eq
8baseUnspecified
1
8base, a significant threat actor in the cybersecurity landscape, has been active between April 2022 and May 2023. This group, while not new, has recently increased its visibility with the activation of a public leak site used to pressure victims into paying ransoms. In the last month alone, 8base o
RansomedVCUnspecified
1
RansomedVC, a new threat actor in the cybersecurity landscape, has emerged as a significant concern due to its unorthodox approaches and deceptive tactics. This group is suspected to be an enterprise of a single individual threat actor, who has previously been associated with other cybercrime operat
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-22515Unspecified
3
CVE-2023-22515 is a critical Broken Access Control vulnerability discovered in October 2023, affecting the Confluence Data Center and Server. This flaw in software design or implementation allowed unauthenticated attackers to create unauthorized administrator accounts and gain access to Confluence i
CVE-2021-40539Unspecified
3
None
Source Document References
Information about the Trigona Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
2 days ago
FIN7 group advertises new EDR bypass tool on hacking forums
Securityaffairs
5 days ago
FIN7 group advertises new EDR bypass tool on hacking forums
Unit42
6 months ago
Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
CERT-EU
7 months ago
Ransomware Spotlight: Trigona - Security News | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
8 months ago
Ransomware attacks up 81% year-on-year in October | #ransomware | #cybercrime | National Cyber Security Consulting
Malwarebytes
8 months ago
Ransomware review: October 2023
CERT-EU
9 months ago
Ransomware and Cyber-extortion Trends in Q3 2023 - ReliaQuest
CERT-EU
9 months ago
Ragnar Locker ransomware dev arrested in France
CERT-EU
9 months ago
The Week in Ransomware - October 20th 2023 - Fighting Back
CERT-EU
9 months ago
Cyber Security Today, Week in Review for the week ending Friday, October 20, 2023 | IT World Canada News
CERT-EU
9 months ago
Cyber Security Week in Review: October 20, 2023
CERT-EU
9 months ago
Cyber Security Today, Oct. 20, 2023 – Free anti-phishing guidance, ransomware gang sunk for not patching Confluence servers | IT World Canada News
CERT-EU
9 months ago
Ragnar Locker ransomware’s dark web extortion sites seized by police
CERT-EU
9 months ago
Ragnar Locker ransomware developer arrested in France
BankInfoSecurity
9 months ago
Breach Roundup: Citrix Patch Not Sufficient
BankInfoSecurity
9 months ago
Is the Ragnar Locker Ransomware Group Headed for Oblivion?
CERT-EU
9 months ago
Interesting cyber attack headlines trending on Google for this day - Cybersecurity Insiders
CERT-EU
9 months ago
Ukrainian Hacktivists Claim Trigona Ransomware Takedown
CERT-EU
9 months ago
Ukrainian activists hack Trigona ransomware gang, wipe servers
BankInfoSecurity
9 months ago
Ukrainian Hacktivists Claim Trigona Ransomware Takedown