New variants of the Trigona ransomware virus do not spare Windows and Linux users
The malware, which has been active since the middle of last year, only develops every month and poses an increasing threat to the corporate sector.
Cyber Security Specialists Trend Micro discovered new variations of the Trigona ransomware virus that has been actively spreading since June 2022. Trigona, like most similar programs, uses a double extortion method: first, it downloads files from infected computers, and then encrypts them, threatening to publish the stolen data on the Internet if the victims do not pay a ransom.
Trigona is written in a programming language Delphi and uses 112 bit RSA and 256 bit AES to encrypt files in OFB mode. After encrypting the files, the virus adds the “.locked” extension to them and leaves the “how_to_decrypt.hta” file, which contains instructions for data recovery and the attackers’ contacts. Victims are offered to decrypt up to three files for free as proof that they can get their data back.
To pay the ransom, victims usually need to download and install a browser Tor and follow the link specified in the “how_to_decrypt.hta” file. On the attacker’s site, victims need to register, enter a unique key from the “how_to_decrypt.hta” file, and choose a username and password. The amount of the ransom is not known in advance, but it is known that the attackers demand payment in cryptocurrency Monero (XMR). The site also has a chat option with support for victims.
The new versions of Trigona differ from the existing ones in several ways:
- support various command line options that allow attackers to flexibly customize the process of encrypting and erasing files.
- they attack Microsoft SQL servers using password guessing techniques and the CLR shell tool.
- they have a version for linuxwhich, however, has similarities with the version for Windows.
- use a public website instead of the Tor hidden service to host stolen data, and offer to communicate with attackers via regular email.
The exact method of infecting Trigona computers has not yet been established by researchers. The virus is suspected to be spread by other malware that is delivered via email, Remote Desktop Protocol (RDP) or by exploiting known vulnerabilities in various software. In some cases, attackers even penetrate Microsoft SQL servers, then install Trigona directly on them.
Trigona is updated regularly with new features, including a data wipe feature that overwrites files with zero bytes, renames them with an “.erased” extension, and deletes them.
Cybersecurity experts advise Windows and Linux users to be careful when opening suspicious emails and attachments, update their software and antivirus software on time, make regular backups, and follow the 3-2-1 rule (three backups stored in two different formats, one of the copies is stored in a separate location).
It is also very important to set up multi-factor authentication, as this will prevent attackers from moving around the network and gaining access to sensitive information.