Trigona Ransomware: Hackers target MS-SQL servers for double extortion attacks

Trigona ransomware, first discovered in October 2022, claims to undertake double extortion attacks by combining data exfiltration with file encryption and is known for only accepting Monero cryptocurrency ransom payments from victims globally. Since the beginning of the year 2023, the Trigona ransomware gang has been responsible for a steady stream of attacks, with at least 190 submissions to the ID Ransomware platform. Trigona encrypts all files on victims’ devices except some specific folders including Windows and Program Files. Prior to encryption, the gang claims to have stolen sensitive documents that would be uploaded to its dark web leak site.

Attackers were also spotted hacking into poorly secured and vulnerable Microsoft SQL (MS-SQL) servers in order to drop Trigona ransomware payloads and encrypt all files, according to security analysts. The MS-SQL servers were being hacked using brute-force or dictionary attacks that exploited easy-to-guess account credentials.

Before deploying Trigona, it is assumed that the threat actor first installs the CLR SqlShell malware to elevate privileges and perform different malicious actions. The malware is used to collect system information, change the configuration of the compromised account, and escalate privileges to LocalSystem by exploiting a vulnerability in the Windows Secondary Logon Service (which is required to execute the ransomware as a service).

The attackers then install and run a dropper malware called svcservice.exe, which they employ to launch the Trigona ransomware as svchost.exe. Furthermore, the ransomware renames encrypted files with the ._locked extension and embeds the encrypted decryption key, campaign ID, and victim ID (company name) in each locked file.

Trigona ransomware has been linked to compromises affecting a wide range of enterprises around the world, including those in manufacturing, finance, construction, agriculture, marketing, and high technology. The companies impacted were located in the United States, Italy, France, Germany, Australia, and New Zealand.