{
	"id": "12864eb1-1065-4f10-87da-1fc16593a4a1",
	"created_at": "2026-04-06T01:31:44.896373Z",
	"updated_at": "2026-04-10T13:11:38.256452Z",
	"deleted_at": null,
	"sha1_hash": "0c0d49964e00b2e28d8aa590d2154ad1c88bd089",
	"title": "Trigona Ransomware Attacking MS-SQL Servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2448973,
	"plain_text": "Trigona Ransomware Attacking MS-SQL Servers\r\nBy ATCP\r\nPublished: 2023-04-09 · Archived: 2026-04-06 01:22:50 UTC\r\nAhnLab Security Emergency response Center (ASEC) has recently discovered the Trigona ransomware being\r\ninstalled on poorly managed MS-SQL servers. Trigona is a relatively recent ransomware that was first discovered\r\nin October 2022, and Unit 42 has recently published a report based on the similarity between Trigona and the\r\nCryLock ransomware. [1]\r\n1. Poorly Managed MS-SQL Servers\r\nPoorly managed MS-SQL servers typically refer to those that are exposed to external connections and have simple\r\naccount credentials, rendering them vulnerable to brute force or dictionary attacks. If a threat actor manages to log\r\nin, control over the system will be passed to them, allowing them to install malware or execute malicious\r\ncommands.\r\nAdditionally, MS-SQL can be installed on both Windows servers and desktop environments. For example, there\r\nare cases where MS-SQL is installed alongside certain ERP and work-purpose solutions during their installation\r\nprocess. Because of this, Windows servers and Windows desktop environments can both be targeted for MS-SQL\r\nServer attacks.\r\nASEC is monitoring attacks against poorly managed MS-SQL servers. ASEC Report is also sharing quarterly\r\nstatistics of information including the number of attacks and malware used in attacks. [2] Most malware types can\r\nbe used in these attacks, including Trojans, backdoors, CoinMiners, and ransomware. When it comes to\r\nransomware, Mallox and GlobeImposter are the most used. [3]\r\nFigure 1. Statistics for ransomware types used to attack MS-SQL servers\r\nhttps://asec.ahnlab.com/en/51343/\r\nPage 1 of 8\n\n2. CLR SqlShell\r\nThe system currently subject to analysis is an environment where an externally exposed MS-SQL server has been\r\ninstalled and assumed to have inappropriate account credentials. This means that multiple threat actors have\r\nalready obtained the account credentials, and as a result, the detection logs of various ransomware such as Remcos\r\nRAT and CoinMiners have been found.\r\nIt is presumed that the threat actor first installs the CLR SqlShell malware before installing Trigona. Although\r\nmultiple malware logs were confirmed together, the basis for this assumption comes from the time-based\r\nsimilarity with the timing of the ransomware attacks and the fact that it was present in most of the systems where\r\nTrigona attacks were carried out. In addition, this CLR SqlShell malware is confirmed to have a routine that\r\nexploits privilege escalation vulnerabilities, which is believed to be due to the high privileges required by Trigona\r\nas it operates as a service.\r\nFigure 2. CLR Shell malware detected alongside the Trigona ransomware\r\nIn MS-SQL environments, there are many methods to execute OS commands besides the xp_cmdshell command,\r\nand one of them includes the use of the CLR extended procedure. This feature was originally used to provide\r\nexpanded features on SQL servers. However, threat actors can abuse this to add and use malicious functions. CLR\r\nSqlShell is a type of CLR assembly malware that receives commands from threat actors and performs malicious\r\nbehaviors, similarly to the WebShells of web servers.\r\nLemonDuck is an example of a malware strain that uses this CLR SqlShell. LemonDuck also targets MS-SQL\r\nservers for internal network propagation and malicious behavior is performed after logging into the sa account\r\nwhich is obtained through scanning and dictionary attacks. xp_cmdshell commands may be used for malicious\r\nbehavior, but the ExecCommand() method of this CLR SqlShell, evilclr.dll, is used when downloading additional\r\npayloads.\r\nThe CLR SqlShell that has been confirmed during the Trigona ransomware attacks does not have a command\r\nexecution routine, but it supports functions such as privilege escalation (MS16-032) vulnerability exploitation,\r\ninformation gathering, and user account configuration. A threat actor can use this to perform a variety of malicious\r\nbehaviors with a high privilege level.\r\nhttps://asec.ahnlab.com/en/51343/\r\nPage 2 of 8\n\nFigure 3. CLR Shell malware used in attacks\r\nThe routine used in the MS16-032 vulnerability exploitation is almost the same as the disclosed code, and it uses\r\nits escalated privilege to execute the binary included inside of it.\r\nFigure 4. Routine to exploit MS16-032 vulnerability\r\nThe “nt.exe” file created and executed through CLR SqlShell has the following simple features where the registry\r\nis edited and the system is rebooted to change the SQL service account to LocalSystem.\r\nhttps://asec.ahnlab.com/en/51343/\r\nPage 3 of 8\n\nFigure 5. Routine to change the SQL service account to LocalSystem.\r\nThus, the MS-SQL process sqlservr.exe, which runs with the “NT Service\\MSSQL$SQLEXPRESS” privilege, is\r\nexecuted with LocalSystem privileges after the registry is edited and the system is rebooted. The threat actor can\r\nthen use the MS-SQL process that now has elevated privileges to carry out malicious behaviors.\r\nFigure 6. Former registry value and the process execution account after system reboot\r\n3. Trigona Ransomware\r\nAccording to the infection logs, the Trigona ransomware is installed after the CLR SqlShell malware. The\r\nfollowing is a log from AhnLab’s ASD that shows the MS-SQL process sqlservr.exe installing Trigona under the\r\nname svcservice.exe.\r\nFigure 7. Trigona ransomware installation log\r\nhttps://asec.ahnlab.com/en/51343/\r\nPage 4 of 8\n\nsvcservice.exe is a dropper malware that operates as a service. When executed as a service, it creates and executes\r\nthe actual Trigona ransomware, svchost.exe, in the same path. It also creates and executes svchost.bat which is the\r\nbatch file responsible for executing the ransomware. svchost.bat first registers the Trigona binary to the Run key\r\nto ensure that it can run even after a reboot. It then deletes volume shadow copies and disables the system\r\nrecovery feature, making it impossible to recover from the ransomware infection.\r\nFigure 8. Routine to delete volume shadow copies and disable system recovery\r\nAfterward, svchost.exe, which is the Trigona ransomware, is executed and the service “svcservice” that was\r\nregistered earlier is then deleted. Upon running Trigona, it is executed with arguments for each drive from C:\\ to\r\nZ:\\.\r\nFigure 9. Routine to execute Trigona ransomware\r\nTrigona is a ransomware developed in Delphi that encrypts files without distinguishing their extensions. Files that\r\nhave been encrypted are suffixed with the “._locked” extension.\r\nhttps://asec.ahnlab.com/en/51343/\r\nPage 5 of 8\n\nFigure 10. Encrypted files\r\nA ransom note with the filename “how_to_decrypt.hta” is generated in each folder. The threat actor informs the\r\nvictim that their data has been encrypted with a secure AES algorithm and instructs them to install a Tor browser\r\nand contact a specified address in order to initiate the recovery process.\r\nFigure 11. Ransom note generated in encrypted folders\r\nThreat actor’s Onion address:\r\nhxxp://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad[.]onion/\r\nTypical attacks that target MS-SQL servers include brute force attacks and dictionary attacks to systems where\r\naccount credentials are poorly being managed. Admins must also use passwords that cannot be easily guessed and\r\nchange them periodically to protect the database servers from brute force and dictionary attacks.\r\nhttps://asec.ahnlab.com/en/51343/\r\nPage 6 of 8\n\nV3 should be updated to the latest version so that malware infection can be prevented. Administrators should also\r\nuse security programs such as firewalls for database servers accessible from outside to restrict access by external\r\nthreat actors. If the above measures are not taken in advance, continuous infections by threat actors and malware\r\ncan occur.\r\nFile Detection\r\n– Ransomware/Win.Generic.C5384838 (2023.02.20.00)\r\n– Trojan/BAT.Runner.SC187699 (2023.04.08.00)\r\n– Trojan/Win.Generic.C5148943 (2022.05.30.00)\r\n– Trojan.Win.SqlShell.C5310259 (2022.11.21.03)\r\n– Unwanted.Win.Agent.C5406884 (2023.04.08.00)\r\nBehavior Detection\r\n– Ransom/MDP.Command.M2255\r\n– Ransom/MDP.Event.M1946\r\nMD5\r\n1cece45e368656d322b68467ad1b8c02\r\n1e71a0bb69803a2ca902397e08269302\r\n46b639d59fea86c21e5c4b05b3e29617\r\n530967fb3b7d9427552e4ac181a37b9a\r\n5db23a2c723cbceabec8d5e545302dc4\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/51343/\r\nPage 7 of 8\n\nSource: https://asec.ahnlab.com/en/51343/\r\nhttps://asec.ahnlab.com/en/51343/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/51343/"
	],
	"report_names": [
		"51343"
	],
	"threat_actors": [],
	"ts_created_at": 1775439104,
	"ts_updated_at": 1775826698,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0c0d49964e00b2e28d8aa590d2154ad1c88bd089.pdf",
		"text": "https://archive.orkl.eu/0c0d49964e00b2e28d8aa590d2154ad1c88bd089.txt",
		"img": "https://archive.orkl.eu/0c0d49964e00b2e28d8aa590d2154ad1c88bd089.jpg"
	}
}