South Korean cyber security organisation AhnLab has identified a breach in Microsoft SQL servers allowing deployment of Trigona ransomware. The attacks were threat actors using brute-force or dictionary attacks with obtained or guessed credentials to infiltrate externally accessible MS-SQL servers. Once they gain access, the attackers use CLR Shell malware to collect system information, alter account configurations, or gain additional privileges using a vulnerability in the Windows Secondary Logon Service. Subsequently, Trigona ransomware is installed.


What is CLR Shell (csharp)?


CLR Shell (also known as csharp) is a command-line shell that allows you to execute C# code snippets interactively. It is a part of the .NET Framework and can be accessed using the command-line interface (CLI) in Windows.


What is Trigona ransomware?


Trigona is ransomware that was first discovered in October 2022. Like other types of ransomware, it is designed to encrypt files on a victim’s computer, making them inaccessible, and then demand a ransom payment in exchange for the decryption key.


Trigona ransomware is known to use a combination of RSA and ChaCha encryption algorithms to encrypt the victim’s files, which makes it more difficult to decrypt them without the decryption key. It also adds a “.trigona” extension to the encrypted files, which helps to identify them.



How is Trigona ransomware distributed?


Trigona is typically distributed through spam email campaigns or by exploiting vulnerabilities in software on servers that are not hardened. Once it infects a computer, it will encrypt files on local drives as well as any mapped network drives that are accessible to the victim’s computer. It then displays a ransom note with instructions on how to pay the ransom in exchange for the decryption key.


How is Trigona installed?


It is believed that the CLR Shell malware is installed before Trigona, as it has a routine that exploits privilege escalation vulnerabilities, which is necessary for Trigona to operate as a service. Trigona ransomware encrypts files with a secure AES algorithm and hides their extensions, showing them with a “._locked” extension.


What is the impact of a Trigona ransomware attack by the Trigona team?


According to reports from cybersecurity researchers, the Trigona team has been active since at least 2014 and have been involved in multiple ransomware campaigns, including the Phobos, Dharma, and Crysis/Dharma/Cezar families.


Victims of Trigona ransomware receive a ransom note titled “how_to_decrypte.hta,” instructing them to install a Tor browser and contact an address on the dark web to begin the decryption process. Those who pay the ransom receive a link to a decryptor and a private decryption key in a keys.dat file, allowing them to decrypt individual files and full folders.


The Trigona team has been responsible for a large number of attacks, with at least 190 ID Ransomware platform submissions since the beginning of 2020, and it is currently unknown how much the group demands. The Trigona team have been known to steal data during the attacks and demand ransom payments exclusively in Monero cryptocurrency.


Harden Servers to Prevent Ransomware Attacks


As with all ransomware, it’s important to have proper backups of your important data, keep your software up to date, be cautious when opening email attachments or clicking on links from unknown or suspicious sources, and automate your server hardening to reduce the risk of becoming infected with Trigona or any other type of ransomware.


server hardening demo

You might be interested