Trigona ransomware, a novice threat actor active since late 2022, got its servers “exfiltrated and wiped” by Ukrainian Cyber Alliance (UCA). White hat hackers also claim about the backups of Trigona’s network infrastructure being wiped.
What is Trigona Ransomware?
Trigona is a relatively new ransomware actor, active for around a year at the moment (since October 2022). Despite that, hackers demonstrate significant activity from the very beginning. By exploiting different vulnerabilities, particularly ones in MSSQL and popular software. They also do not disdain using compromised business emails, collected in early stages of an attack or even in previous hacks. Moreover, the gang attempted to stay in touch with the latest trends, and released a variant of their ransomware for Linux.
Thorough research shows that Trigona is probably an offspring of CryLock ransomware. Despite the group not claiming its shutdown, they went low for some time – and then Trigona emerged. The new group uses almost the same tools and tactics, thus it is logical to assume that one is a reborn of another. Other people point at certain relations with ALPHV/BlackCat gang, though it appears rather sporadically and is most likely a coincidence.
Trigona Ransomware Hacked by Ukrainian Cyber Alliance
On October 17, 2023, Telegram channel of Ukrainian Cyber Alliance posted information about Trigona ransomware servers being seized and disabled. This was accompanied by a screenshot of the Darknet leak site of the gang after the hack.
Ukrainian Cyber Alliance is a group of hacktivists that perform attacks on Russian cybercrime gangs. Being formed in 2014, they were an obvious response to the increased volume of Russian state-sponsored attacks upon Ukrainian infrastructure and companies. And, as you can see, they keep going even nowadays.
Posts on a related Telegram channel RUH8 uncovered some interesting details. As it turns out, hackers got access to Trigona’s Confluence account earlier this month – around October 12.
Though, posts on the RUH8 admin’s Twitter uncovered that Ukrainian hackers did not only hacked and defaced the Darknet site. Screenshots prove that Trigona’s backups are gone as well, which makes it rather difficult to get back online quickly enough. Another picture proves that all the credentials and internal data was exfiltrated and deleted from crooks’ servers.
One more screenshot from the same Twitter thread shows that the hacker got his hands on all the toolkit of cybercriminals. This means that sooner or later, the decryptor for the victims of Trigona ransomware will be available.
Is Trigona Trigone now?
Not yet. Despite getting such a severe strike, Trigona ransomware can still recover. Though, it will certainly take some time to get all the infrastructure back online. Moreover, crypto wallets are exposed as well, which question their further application for funding the operations. Key developers and masters should recover everything from scratch – and without a pay, the motivation will be quite low. The future of Trigona group is unclear.
This is not the first time a hacker group gets its network infrastructure wrecked. The recent operation ”Duck Hunt” by the FBI destroyed a huge botnet under the rule of QakBot. Though, feds did not seize tier 1 servers, where the vast majority of infrastructure is hosted – while Trigona has all things wiped at one snap. Overall, such operations may be pretty effective effort-wise, as ones that involve threat actors’ imprisonment and physical seizure of assets require way more reconnaissance, legal actions, real-world operations and the like. I expect to see much more of such in future.