{ "id": "ba624b29-09fd-48fc-81cd-2456db9769f2", "created_at": "2026-04-06T00:09:12.607846Z", "updated_at": "2026-04-10T03:30:52.097131Z", "deleted_at": null, "sha1_hash": "5a8f4e8e6725406ab218d356ea9fb32e7519ac46", "title": "Bee-Ware of Trigona, An Emerging Ransomware Strain", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 610777, "plain_text": "Bee-Ware of Trigona, An Emerging Ransomware Strain\r\nBy Frank Lee, Scott Roland\r\nPublished: 2023-03-16 · Archived: 2026-04-05 14:59:48 UTC\r\nExecutive Summary\r\nTrigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing\r\nTrigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident\r\nresponse, we determined that Trigona was very active during December 2022, with at least 15 potential victims being\r\ncompromised. Affected organizations are in the manufacturing, finance, construction, agriculture, marketing and high\r\ntechnology industries.\r\nUnit 42 researchers identified two new Trigona ransom notes in January 2023 and two in February 2023. Trigona’s ransom\r\nnotes are unique; rather than the usual text file, they are instead presented in an HTML Application with embedded\r\nJavaScript containing unique computer IDs (CID) and victim IDs (VID).\r\nPalo Alto Networks helps detect and prevent Trigona ransomware with the following products and services: Cortex XDR,\r\nPrisma Cloud and Next-Generation Firewalls (including cloud-delivered security subscriptions such as WildFire) and\r\nthrough incident response.\r\nTrigona Overview\r\nThe first mention of Trigona, also the name of a family of stingless bees, comes from a tweet by security researchers in late\r\nOctober 2022. Malware samples were passed to BleepingComputer, which in turn published a blog post on the ransomware\r\non Nov. 29, 2022. Unit 42 consultants also have seen Trigona firsthand in the course of incident response.\r\nUnit 42 researchers have observed Trigona’s threat operator engaging in behavior such as obtaining initial access to a\r\ntarget’s environment, conducting reconnaissance, transferring malware via remote monitoring and management (RMM)\r\nsoftware, creating new user accounts and deploying ransomware.\r\nRansomware Analysis\r\nRansomware Binary\r\nUnit 42 obtained and analyzed a sample of the Trigona ransomware binary, named svhost.exe. Upon execution, the\r\nransomware binary uses TDCP_rijndael (a Delphi AES library) to encrypt files. The ransomware then appends the ._locked\r\nfile extension, modifies registry keys to maintain persistence, and drops ransom notes.\r\nThe ransomware binary supports the following command line arguments:\r\nArgument Description\r\n/full\r\nPerforms all functions of the ransomware. Encrypts both local and network files. Creates two\r\nregistry keys for persistence, one for the ransomware binary and another for the ransom note. \r\n/!autorun Skips creation of registry keys for persistence\r\n/test_cid “test” Overwrites default victim generated CID and replace with “test” value\r\n/test_vid “test” Overwrites default VID and replace with “test” value\r\n/p, /path “path” Encrypts only files contained within specified path\r\n/!local Does not encrypt local system files, only encrypts files on local network\r\n/!lan Does not encrypt local network files, only encrypts files on local system\r\n/autorun_only\r\n“path”\r\nCreates registry key for persistence only. Allows for optional “path” to be provided to override\r\ndefault path, does not encrypt files\r\nThe ransomware establishes persistence through the creation of two keys in CurrentVersion\\Run. Keys found in\r\nCurrentVersion\\Run contain references to programs that will execute when a user logs in.\r\nOne key executes the ransomware binary whenever the user logs in, ensuring that the encryption process would resume\r\nupon reboot. The other key ensures that the ransom note is opened every time the user logs in.\r\nRansom Note\r\nhttps://unit42.paloaltonetworks.com/trigona-ransomware-update/\r\nPage 1 of 14\n\nTrigona’s ransom note is dropped to the system with the name how_to_decrypt.hta. The HTML code in this file contains\r\nembedded JavaScript functionality, which displays ransom note details as shown below in Figure 1.\r\nFigure 1. Sample Trigona ransom note.\r\nUnit 42 researchers observed that the JavaScript within the ransom note contains the following information:\r\nA uniquely generated CID and VID\r\nA link to the negotiation Tor portal\r\nAn email address to contact.\r\nThe contact email shown below in Figure 2 is phandaledr@onionmail[.]org. We have also seen farusbig@tutanota[.]com\r\nused as the contact email in other Trigona ransom notes.\r\nFigure 2. Embedded JavaScript containing campaign ID and victim ID.\r\nVictimology\r\nBy looking at the victim ID in the embedded JavaScript in the Trigona ransom notes, we were able to identify at least 15\r\npotential victims that were compromised in December 2022. We also identified two new Trigona ransom notes in January\r\n2023 and two in February 2023.\r\nTrigona ransomware has been linked to compromises impacting multiple organizations worldwide, in sectors including\r\nmanufacturing, finance, construction, agriculture, marketing and high technology. The companies impacted were in the\r\nUnited States, Italy, France, Germany, Australia and New Zealand.\r\nLeak Site Analysis\r\nWhen Trigona was first observed, there was no evidence of this group using a leak site for double extortion. Their ransom\r\nnote pointed the victims to their negotiation portal instead. During the investigation of this ransomware family, we observed\r\nthat a researcher identified a leak site attributed to Trigona hosted on the IP address 45.227.253[.]99.\r\nUnit 42 researchers pivoted on the SSH key for 45.227.253[.]99 and identified three other IP addresses related to Trigona’s\r\ninfrastructure:\r\n45.227.253[.]106\r\n45.227.253[.]98\r\n45.227.253[.]107\r\nhttps://unit42.paloaltonetworks.com/trigona-ransomware-update/\r\nPage 2 of 14\n\nEach IP shares the same SSH key of ecdsa-sha2-nistp256\r\nAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMjqeyIfJyuimtE414TBCxN+lHleN5/P3CNiD4uln5xyHjyw4muLePQj2y3\r\nIPs 45.227.253[.]99 and 45.227.253[.]106 hosted web servers on port 8000, while 45.227.253[.]98 and 45.227.253[.]107\r\nhosted no web services.\r\nWe identified that 45.227.253[.]99 hosted a web server between Dec. 6, 2022, and Jan. 27, 2023. On Feb. 13, 2023,\r\n45.227.253[.]106 started hosting a web server with the HTML title Trigona Leaks that was active until March 3, 2023.\r\nAs shown in Figure 3, each post contained the following information:\r\nA description of the company\r\nThe victim’s ZoomInfo page\r\nA description of the stolen data\r\nLinks to screenshots of example files\r\nA countdown timer\r\nA button to bid for the data.\r\nThe “@ Place a bid” button contained a mailto link to auction@mailthink[.]net. Mailthink is a service that allows users to\r\ncreate temporary, disposable email addresses.\r\nFigure 3. Trigona leak site.\r\nWhile the leak site was active, there were four victims:\r\nVictim 1 has a near-duplicate post on the BlackCat (ALPHV) leak site and a countdown timer of over 300 days.\r\nSecurity researchers at Arete Incident Response recently observed Trigona leveraging BlackCat’s reputation and data\r\nleak site to pressure and extort victims. It’s unclear whether Victim 1 was impacted by Trigona.\r\nVictim 2 has a duplicate post on the BlackCat (ALPHV) leak site and a countdown timer of over 300 days. It’s\r\nunclear whether Victim 2 was impacted by Trigona.\r\nVictim 3 has an associated ransom note on VirusTotal and a countdown timer of just over 30 days. Unit 42 assesses\r\nwith high confidence that Victim 3 was impacted by Trigona.\r\nVictim 4 is not mentioned on any other ransomware gang’s leak site and has a countdown timer of over 300 days.\r\nUnit 42 did not identify any associated ransom notes and it’s unclear whether Victim 4 was impacted by Trigona.\r\nThe countdown timers of over 300 days for Victims 1, 2 and 4 were well beyond the usual timeframe that we have observed\r\nin incident response cases where attackers demand payment, which is between two and four weeks.\r\nGiven the following features, the Unit 42 team believes with moderate confidence that the surface web leak page was a\r\ndevelopment environment to test out features before a possible move to the dark web:\r\nSeveral posts appear to be duplicates from the BlackCat leak site (as shown in Figure 4)\r\nhttps://unit42.paloaltonetworks.com/trigona-ransomware-update/\r\nPage 3 of 14\n\nSeveral of the countdown timers are considerably longer\r\nThe leak site is no longer available on the surface web\r\nFigure 4. Comparison between Trigona leak site (left) and BlackCat (ALPHV) leak site (right).\r\nSimilarities to CryLock Ransomware\r\nTrigona operators share overlap in tactics, techniques and procedures (TTPs) with CryLock ransomware operators,\r\nsuggesting that ransomware threat actors that once deployed CryLock ransomware might have moved on to deploying\r\nTrigona ransomware. The email associated with Trigona ransom notes analyzed by Unit 42 (phandaledr@onionmail[.]org)\r\nwas mentioned in an online forum discussing CryLock ransomware, as shown below in Figure 5.\r\nFigure 5. A user on SafeZone, a Russian anti-malware forum, seeking help for Crylock ransomware.\r\nBoth ransomware families also drop ransom notes in HTML Application format, named how_to_decrypt.hta. There are also\r\nsimilarities in the ransom message, including:\r\nTheir claim that all “documents, databases, backups, and other critical” files and data were encrypted\r\nAES as their choice of cryptographic algorithm\r\nTheir statement that “the price depends on how soon you will contact us”\r\nTools and Techniques\r\nUnit 42 has seen evidence of malicious activity associated with Trigona originating from a compromised Windows 2003\r\nserver, followed by the threat operators executing NetScan for internal reconnaissance.\r\nNetScan\r\nUnit 42 analysts recovered the NetScan output and noticed that it contained Cyrillic characters, as shown below in Figure 6.\r\nChanging the default language of NetScan to Russian is an option that can be configured upon initial installation.\r\nhttps://unit42.paloaltonetworks.com/trigona-ransomware-update/\r\nPage 4 of 14\n\nFigure 6. NetScan output that operator(s) left on disk containing Cyrillic characters.\r\nAfter conducting reconnaissance, Trigona operators used Splashtop – a remote access and management (RMM) tool – to\r\ntransfer the following malware into the target’s environment.\r\nThreat actors often abuse, take advantage of or subvert legitimate products for malicious purposes. This does not necessarily\r\nimply a flaw or malicious quality to the legitimate product being abused.\r\nStart.bat\r\nStart.bat is a batch script that performs the following activities:\r\nIt creates a new folder at C:\\temp\r\nIt copies other malicious batch and EXE files from a compromised internal Server Message Block (SMB) server to\r\nthe newly created temp folder\r\nIt executes Turnoff.bat\r\nTurnoff.bat\r\nTurnoff.bat is a cleanup script used to remove evidence of the attack on a system. It does so by performing the following\r\nactivities:\r\nClearing the Recycle Bin of any mounted drive\r\nAttempting to use sc stop and taskkill to stop over 100 services related to various areas ranging from remote desktop\r\ntools to Windows Defender\r\nAttempting to stop services related to VMware, Hyper-V and SQL\r\nEnding several running tasks related to the stopped services mentioned above\r\nClear Windows Event Logs (using wevutil cl)\r\nDeleting Volume Shadow Copies\r\nDisconnecting all network drives\r\nUnit 42 researchers have observed that cleanup scripts from other threat actors are usually smaller and more specific to the\r\ntools used by that actor. The scattershot variety of services and tasks that turnoff.bat stops could suggest that the tool is\r\nattempting to ensure that a wider variety of systems are encrypted.\r\nNewuser.bat\r\nNewuser.bat is a batch script that creates a new user with the name fredla and the password Qw123456. It then adds the\r\nfredla user to the local groups Administrator and Remote Desktop Users. Threat actors sometimes create privileged user\r\naccounts to keep access to target systems without having to install persistent remote access tools on the system.\r\nDC2.exe\r\nDC2.exe contains a password protected version of Mimikatz, which is a tool used for extracting sensitive information such\r\nas passwords and authentication credentials from a Windows operating system.\r\nThis version of Mimikatz has been compressed using UPX. While UPX is often legitimately used to reduce file size, we\r\nhave observed threat actors utilizing UPX and other packing programs to evade static detection of the underlying payload.\r\nThe tool is also password protected, which adds an extra layer of complexity when ascertaining the program’s functionality.\r\nWhen the executable is run, the threat actor is prompted for a password to continue. The MD5 hash of the password is then\r\ncalculated, and if it is equal to 4dbf44c6b1be736ee92ef90090452fc2, the program will continue running.\r\nThe password required to achieve the MD5 hash is boris.\r\nhttps://unit42.paloaltonetworks.com/trigona-ransomware-update/\r\nPage 5 of 14\n\nAmong its many legitimate uses, Unit 42 researchers have most often observed Mimikatz being leveraged maliciously by\r\nthreat actors in the following ways:\r\nCredential Loading\r\nMimikatz loads credentials from various sources such as Windows memory, Local Security Authority\r\nSubsystem Service (LSASS) process and the Windows registry.\r\nCredential Dumping\r\nThe tool then extracts and dumps the credentials, including usernames and passwords, hashes, and Kerberos\r\ntickets to the screen or to a file.\r\nCredential Manipulation\r\nMimikatz allows the user to manipulate the dumped credentials, such as changing passwords, creating new\r\nuser accounts and adding users to groups.\r\nCredential Injection\r\nThe tool can also inject the manipulated credentials into other processes, allowing the user to impersonate\r\nanother user and gain access to restricted resources.\r\nDC4.exe\r\nDC4.exe is a small, UPX-packed password protected binary that generates and executes an embedded batch file. Like\r\nDC2.exe, the password to allow the binary to run is boris.\r\nUpon execution, the batch file makes the following changes to the system:\r\n1. Disables the User Account Control (UAC) and sets cmd.exe as a debugger for HelpPane.exe, utilman.exe,\r\nMagnify.exe and sethc.exe. This is a common method of creating a “Sticky Keys backdoor” that allows for the\r\ncreation of a command prompt with NT AUTHORITY\\SYSTEM privileges.\r\n2. Opens specific ports on the firewall to allow remote desktop connections using the netsh command.\r\n3. Modifies the Windows registry to allow remote desktop connections.\r\n4. Creates a new user account with the username sys and password Mm1518061+-, and adds this user to the\r\nAdministrator and Remote Desktop Users groups.\r\nDC6.exe\r\nDC6.exe is an installer for the publicly available tool Advanced Port Scanner, wrapped up in an Inno Setup installer\r\npackage. Inno Setup is a free software installer for Windows programs. Advanced Port Scanner is a tool that is commonly\r\nabused by threat actors for network scanning and mapping, for lateral movement and discovery purposes.\r\nWrapping Advanced Port Scanner in Inno Setup adds an additional layer of obfuscation to the code, and it is likely to evade\r\nstatic signature detection, forcing dynamic analysis to determine functionality rather than relying on traditional static code\r\nsignatures.\r\nTTPs\r\nTactic / Technique Notes\r\nTA0002 Execution\r\nT1072. Software\r\nDeployment Tools\r\nTrigona operators use Splashtop to move laterally and transfer malware between\r\ncompromised hosts in the victim’s environment.\r\nTA0003 Persistence\r\nT1546.008. Accessibility\r\nFeatures\r\nDC4.exe creates a batch script that, when executed, creates a “Sticky Keys backdoor”\r\nthat allows for creation of a command prompt with NT AUTHORITY\\SYSTEM\r\nprivileges.\r\nT1136. Create Account Newuser.bat creates a new user with the username fredla and password Qw123456.\r\nT1098. Account\r\nManipulation\r\nTrigona operators compromise administrator accounts and use them to conduct\r\nmalicious activities, such as executing NetScan.\r\nTA0005 Defense Evasion\r\nT1027. Obfuscated Files or\r\nInformation\r\nTrigona operators use UPX to pack DC2.exe and DC4.exe to avoid static signature\r\ndetection. For DC6.exe, Trigona hid the installer for Advanced Port Scanner within Inno\r\nSetup installer to evade static signature detection.\r\nT1112. Modify Registry\r\nDC4.exe creates a batch script that, when executed, modifies the Windows Registry to\r\nallow remote desktop connections.\r\nhttps://unit42.paloaltonetworks.com/trigona-ransomware-update/\r\nPage 6 of 14\n\nT1562.004. Disable or\r\nModify System Firewall\r\nTrigona operators open up an Remote Desktop Protocol (RDP) port in the firewall with\r\nDC4.exe.\r\nT1070.001. Indicator\r\nRemoval: Clear Windows\r\nEvent Logs\r\nTrigona operators use turnoff.bat to clear event logs via wevtutil cl.\r\nT1070.004. Indicator\r\nRemoval: File Deletion\r\nTrigona operators delete files such as mim.exe, mim32.exe, zam.exe and zam.bat to\r\ncover their tracks. Mim32.exe is associated with Mimikatz while zam.exe and zam.bat\r\nare associated with NetScan.\r\nT1036.004. Masquerade\r\nTask or Service\r\nTrigona’s ransomware binary was named svhost.exe to mimic the legitimate Windows\r\nbinary svchost.exe.\r\nTA0006 Credential Access\r\nT1555. Credentials from\r\nPassword Stores\r\nTrigona operators use Mimikatz to dump passwords.\r\nT1003.001. OS Credential\r\nDuping: LSASS Memory\r\nTrigona operators use Mimikatz to dump passwords from LSASS.\r\nTA0007 Discovery\r\nT1046. Network Service\r\nDiscovery\r\nTrigona operators use NetScan to enumerate hosts within victims’ domains that might be\r\nvulnerable to remote software exploitation.\r\nT1069. Permission Groups\r\nDiscovery\r\nTrigona operators use NetScan to enumerate the security-enabled local group\r\nmembership of the Administrators group.\r\nT1021.001. Remote\r\nDesktop Protocol\r\nTrigona operators utilize RDP to move laterally in the victim’s environment.\r\nTA0008 Lateral Movement\r\nT1570. Lateral Tool\r\nTransfer\r\nTrigona operators use Splashtop to transfer malicious tools from computer to computer\r\nin the victim’s environment.\r\nTA0011 Command and Control\r\nT1105. Ingress Tool\r\nTransfer\r\nTrigona operators utilize Splashtop to transfer netscan.exe, netscan.lic, netscan.xml,\r\nnewuser.bat, start.bat and turnoff.bat.\r\nT1219. Remote Access\r\nSoftware\r\nTrigona operators install and execute remote access tools such as Splashtop on targeted\r\nsystems.\r\nTA0040 Impact\r\nT1486. Data Encrypted for\r\nImpact\r\nTrigona ransomware encrypts files with the ._locked file extension.\r\nT1489. Service Stop\r\nTurnoff.bat uses sc stop and taskkill to stop services related to remote desktop tools\r\n(e.g., ScreenConnect, LogMeIn and TeamViewer), as well as VMware, Hyper-V and\r\nSQL.\r\nT1490. Inhibit System\r\nRecovery\r\nTrigona operators use Turnoff.bat to delete Volume Shadow Copies.\r\nConclusion\r\nTrigona is a newer strain of ransomware that, to date, has had minimal coverage by security news articles. This lack of\r\nsecurity community awareness allows Trigona to discreetly attack victims while other higher-profile ransomware operations\r\ndominate the news headlines. We hope that shining a light on Trigona and its uncommon technique of using password-protected executables to obfuscate malware helps defenders better protect their organizations against this threat.\r\nDue to the stream of victims identified by the Unit 42 team and Trigona’s currently developing leak site, the operator and/or\r\naffiliates behind the ransomware likely will continue (and possibly even ramp up) its malicious activity.\r\nPalo Alto Networks customers receive protections from Trigona threats through the following products:\r\nWildFire currently lists all known binaries of Trigona as malicious, which will trigger alerting within Prisma Cloud\r\nand Cortex XDR.\r\nhttps://unit42.paloaltonetworks.com/trigona-ransomware-update/\r\nPage 7 of 14\n\nPrisma Cloud will detect any instance of this malware being executed through properly configured Defender agents\r\nusing Wildfire.\r\nAdditionally, Prisma Cloud Defender agents can be installed on Windows 2016 and 2019 servers, as well as\r\non Windows Docker Container hosts.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response\r\nteam or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber\r\nThreat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to\r\nsystematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nIoC Note\r\nbef87e4d9fcaed0d8b53bce84ff5c5a70a8a30542100ca6d7822cbc8b76fef13\r\nsvhost.exe (Ransomware\r\nBinary)\r\n853909af98031c125a351dad804317c323599233e9b14b79ae03f9de572b014e Splashtop\r\n24123421dd5b78b79abca07bf2dac683e574bf9463046a1d6f84d1177c55f5e5 Netscan\r\n4724EE7274C31C8D418904EE7E600D92680A54FECDAC28606B1D73A28ECB0B1E Netscan\r\ne22008893c91cf5bfe9f0f41e5c9cdafae178c0558728e9dfabfc11c34769936 Netscan\r\n8d069455c913b1b2047026ef290a664cef2a2e14cbf1c40dce6248bd31ab0067 Netscan\r\n544a4621cba59f3cc2aeb3fe34c2ee4522593377232cd9f78addfe537e988ddc start.bat\r\na15c7b264121a7c202c74184365ca13b561fb303fb8699299039a59ab376adc6 turnoff.bat\r\nb7fba3abee8fd3bdac2d05c47ab75fdaa0796722451bed974fb72e442ab4fefd newuser.bat\r\ne5cf252041045b037b9a358f5412ae004423ad23eac17f3b03ebef7c8147a3bb Mimikatz\r\n5603d4035201a9e6d0e130c561bdb91f44d8f21192c8e2842def4649333757ab Mimikatz\r\n69f245dc5e505d2876e2f2eec87fa565c707e7c391845fa8989c14acabc2d3f6 Mimikatz\r\nphandaledr@onionmail[.]org Ransom note contact email\r\nfarusbig@tutanota[.]com Ransom note contact email\r\nhow_to_decrypt.hta Ransom note name\r\n94979b61bba5685d038b4d66dd5e4e0ced1bba4c41ac253104a210dd517581b8 DC2.exe\r\n9c8a4159166062333f2f74dd9d3489708c35b824986b73697d5c34869b2f7853 DC4.exe\r\nc5d09435d428695ce41526b390c17557973ee9e7e1cf6ca451e5c0ae443470ca DC6.exe\r\n3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad[.]onion\r\nTrigona TOR negotiation\r\nportal\r\n45.227.253[.]99\r\nIP address associated with\r\nTrigona activity\r\n45.227.253[.]106\r\nIP address currently\r\nhosting Trigona leak site\r\n45.227.253[.]98\r\nIP address associated with\r\nTrigona activity\r\n45.227.253[.]107\r\nIP address associated with\r\nTrigona activity\r\nAdditional Resources\r\nhttps://unit42.paloaltonetworks.com/trigona-ransomware-update/\r\nPage 8 of 14\n\nTrigona ransomware spotted in increasing attacks worldwide - BleepingComputer\r\nRansomware Roundup - Trigona Ransomware - Fortinet\r\nProduct Protection Guide\r\nProduct/Service Course of Action\r\nExecution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement\r\nThe below courses of action mitigate the following techniques:\r\nCommand and Scripting Interpreter [T1059], Create Account [T1136], Account Manipulation [T1098], Local Account\r\n[T1136.001], File Deletion [T1070.004], Modify Registry [T1112], Disable or Modify Tools [T1562.001], Disable or\r\nModify System Firewall [T1562.004], Deobfuscate/Decode Files or Information [T1140], Match Legitimate Name or\r\nLocation [T1036.005], Disable Windows Event Logging [T1562.002], Obfuscated Files or Information [T1027], Clear\r\nWindows Event Logs [T1070.001], Masquerade Task or Service [T1036.004], Credentials from Password Stores\r\n[T1555], OS Credential Dumping [T1003], LSASS Memory [T1003.001], System Network Configuration Discovery\r\n[T1016], System Information Discovery [T1082], Network Service Discovery [T1046], Permission Groups Discovery\r\n[T1069], Remote Desktop Protocol [T1021.001], Lateral Tool Transfer [T1570], Software Deployment Tools [T1072],\r\nRegistry Run Keys / Startup Folder [T1547.001], Accessibility Features [T1546.008], Bypass User Account Control\r\n[T1548.002]\r\nNext-Generation Firewalls\r\nEnsure that the User-ID Agent has minimal permissions if User-ID is enabled\r\nEnsure that security policies restrict User-ID Agent traffic from crossing into\r\nuntrusted zones\r\nEnsure that the User-ID service account does not have interactive logon rights\r\nEnsure that 'Include/Exclude Networks' is used if User-ID is enabled\r\nEnsure remote access capabilities for the User-ID service account are forbidden.\r\nEnsure that User-ID is only enabled for internal trusted interfaces\r\nDefine at least one 'Include Network'.\r\nEnsure that all zones have Zone Protection Profiles with all Reconnaissance\r\nProtection settings enabled, tuned, and set to appropriate actions\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not exist\r\nEnsure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat\r\nIntelligence Sources Exists\r\nEnsure application security policies exist when allowing traffic from an untrusted\r\nzone to a more trusted zone\r\nCortex XSOAR\r\nDeploy XSOAR Playbook - Access Investigation Playbook\r\nDeploy XSOAR Playbook - Block Account Generic\r\nDeploy XSOAR Playbook - Impossible Traveler\r\nDeploy XSOAR Playbook - Port Scan\r\nDeploy XSOAR Playbook Cortex XDR - Isolate Endpoint\r\nCortex XDR Prevent\r\nConfigure Behavioral Threat Protection under the Malware Security Profile\r\nEnable Anti-Exploit Protection\r\nConfigure Restrictions Security Profile\r\nEnable Anti-Malware Protection\r\nConfigure Host Firewall Profile\r\nThreat Prevention\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'\r\nEnsure an anti-spyware profile is configured to block on all spyware severity levels,\r\ncategories, and threats\r\nEnsure a secure antivirus profile is applied to all relevant security policies\r\nhttps://unit42.paloaltonetworks.com/trigona-ransomware-update/\r\nPage 9 of 14\n\nExecution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement\r\nThe below courses of action mitigate the following techniques:\r\nCreate Account [T1136], Account Manipulation [T1098], Local Account [T1136.001], File Deletion [T1070.004],\r\nModify Registry [T1112], Disable or Modify Tools [T1562.001], Disable or Modify System Firewall [T1562.004],\r\nDeobfuscate/Decode Files or Information [T1140], Match Legitimate Name or Location [T1036.005], Disable Windows\r\nEvent Logging [T1562.002], Obfuscated Files or Information [T1027], Clear Windows Event Logs [T1070.001],\r\nMasquerade Task or Service [T1036.004], Credentials from Password Stores [T1555], OS Credential Dumping [T1003],\r\nLSASS Memory [T1003.001], System Network Configuration Discovery [T1016], System Information Discovery\r\n[T1082], Network Service Discovery [T1046], Permission Groups Discovery [T1069], Remote Desktop Protocol\r\n[T1021.001], Lateral Tool Transfer [T1570], Software Deployment Tools [T1072], Registry Run Keys / Startup Folder\r\n[T1547.001], Accessibility Features [T1546.008], Bypass User Account Control [T1548.002]\r\nNext-Generation Firewalls\r\nEnsure that the User-ID Agent has minimal permissions if User-ID is enabled\r\nEnsure that security policies restrict User-ID Agent traffic from crossing into\r\nuntrusted zones\r\nEnsure that the User-ID service account does not have interactive logon rights\r\nEnsure that 'Include/Exclude Networks' is used if User-ID is enabled\r\nEnsure remote access capabilities for the User-ID service account are forbidden.\r\nEnsure that User-ID is only enabled for internal trusted interfaces\r\nDefine at least one 'Include Network'.\r\nEnsure that all zones have Zone Protection Profiles with all Reconnaissance\r\nProtection settings enabled, tuned, and set to appropriate actions\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not exist\r\nEnsure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat\r\nIntelligence Sources Exists\r\nEnsure application security policies exist when allowing traffic from an untrusted\r\nzone to a more trusted zone\r\nCortex XSOAR\r\nDeploy XSOAR Playbook - Access Investigation Playbook\r\nDeploy XSOAR Playbook - Block Account Generic\r\nDeploy XSOAR Playbook - Impossible Traveler\r\nDeploy XSOAR Playbook - Port Scan\r\nDeploy XSOAR Playbook Cortex XDR - Isolate Endpoint\r\nCortex XDR Prevent\r\nConfigure Behavioral Threat Protection under the Malware Security Profile\r\nEnable Anti-Exploit Protection\r\nConfigure Restrictions Security Profile\r\nEnable Anti-Malware Protection\r\nConfigure Host Firewall Profile\r\nThreat Prevention\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'\r\nEnsure an anti-spyware profile is configured to block on all spyware severity levels,\r\ncategories, and threats\r\nEnsure a secure antivirus profile is applied to all relevant security policies\r\nPersistence, Privilege Escalation, Defense Evasion\r\nThe below courses of action mitigate the following techniques:\r\nCreate Account [T1136], Account Manipulation [T1098], Local Account [T1136.001], File Deletion [T1070.004],\r\nModify Registry [T1112], Disable or Modify Tools [T1562.001], Disable or Modify System Firewall [T1562.004],\r\nDeobfuscate/Decode Files or Information [T1140], Match Legitimate Name or Location [T1036.005], Disable Windows\r\nEvent Logging [T1562.002], Obfuscated Files or Information [T1027], Clear Windows Event Logs [T1070.001],\r\nhttps://unit42.paloaltonetworks.com/trigona-ransomware-update/\r\nPage 10 of 14\n\nMasquerade Task or Service [T1036.004], Registry Run Keys / Startup Folder [T1547.001], Accessibility Features\r\n[T1546.008], Bypass User Account Control [T1548.002]\r\nNext-Generation Firewalls\r\nEnsure that the User-ID Agent has minimal permissions if User-ID is enabled\r\nEnsure that security policies restrict User-ID Agent traffic from crossing into\r\nuntrusted zones\r\nEnsure that the User-ID service account does not have interactive logon rights\r\nEnsure that 'Include/Exclude Networks' is used if User-ID is enabled\r\nEnsure remote access capabilities for the User-ID service account are forbidden.\r\nEnsure that User-ID is only enabled for internal trusted interfaces\r\nDefine at least one 'Include Network'.\r\nCortex XSOAR\r\nDeploy XSOAR Playbook - Access Investigation Playbook\r\nDeploy XSOAR Playbook - Block Account Generic\r\nDeploy XSOAR Playbook - Impossible Traveler\r\nCortex XDR Prevent\r\nConfigure Behavioral Threat Protection under the Malware Security Profile\r\nEnable Anti-Exploit Protection\r\nConfigure Restrictions Security Profile\r\nEnable Anti-Malware Protection\r\nPersistence, Privilege Escalation, Defense Evasion\r\nThe below courses of action mitigate the following techniques:\r\nFile Deletion [T1070.004], Modify Registry [T1112], Disable or Modify Tools [T1562.001], Disable or Modify System\r\nFirewall [T1562.004], Deobfuscate/Decode Files or Information [T1140], Match Legitimate Name or Location\r\n[T1036.005], Disable Windows Event Logging [T1562.002], Obfuscated Files or Information [T1027], Clear Windows\r\nEvent Logs [T1070.001], Masquerade Task or Service [T1036.004], Registry Run Keys / Startup Folder [T1547.001],\r\nAccessibility Features [T1546.008], Bypass User Account Control [T1548.002]\r\nCortex XDR Prevent\r\nConfigure Behavioral Threat Protection under the Malware Security Profile\r\nEnable Anti-Exploit Protection\r\nConfigure Restrictions Security Profile\r\nEnable Anti-Malware Protection\r\nPrivilege Escalation, Defense Evasion\r\nThe below courses of action mitigate the following techniques:\r\nFile Deletion [T1070.004], Modify Registry [T1112], Disable or Modify Tools [T1562.001], Disable or Modify System\r\nFirewall [T1562.004], Deobfuscate/Decode Files or Information [T1140], Match Legitimate Name or Location\r\n[T1036.005], Disable Windows Event Logging [T1562.002], Obfuscated Files or Information [T1027], Clear Windows\r\nEvent Logs [T1070.001], Masquerade Task or Service [T1036.004], Bypass User Account Control [T1548.002]\r\nCortex XDR Prevent\r\nConfigure Behavioral Threat Protection under the Malware Security Profile\r\nEnable Anti-Exploit Protection\r\nConfigure Restrictions Security Profile\r\nEnable Anti-Malware Protection\r\nDefense Evasion\r\nhttps://unit42.paloaltonetworks.com/trigona-ransomware-update/\r\nPage 11 of 14\n\nThe below courses of action mitigate the following techniques:\r\nFile Deletion [T1070.004], Modify Registry [T1112], Disable or Modify Tools [T1562.001], Disable or Modify System\r\nFirewall [T1562.004], Deobfuscate/Decode Files or Information [T1140], Match Legitimate Name or Location\r\n[T1036.005], Disable Windows Event Logging [T1562.002], Obfuscated Files or Information [T1027], Clear Windows\r\nEvent Logs [T1070.001], Masquerade Task or Service [T1036.004]\r\nCortex XDR Prevent\r\nConfigure Behavioral Threat Protection under the Malware Security Profile\r\nEnable Anti-Exploit Protection\r\nConfigure Restrictions Security Profile\r\nEnable Anti-Malware Protection\r\nCredential Access\r\nThe below courses of action mitigate the following techniques:\r\nCredentials from Password Stores [T1555], OS Credential Dumping [T1003], LSASS Memory [T1003.001]\r\nCortex XDR Prevent\r\nEnable Anti-Exploit Protection\r\nEnable Anti-Malware Protection\r\nDiscovery\r\nThe below courses of action mitigate the following techniques:\r\nSystem Network Configuration Discovery [T1016], System Information Discovery [T1082], Network Service Discovery\r\n[T1046], Permission Groups Discovery [T1069]\r\nNext-Generation Firewalls\r\nEnsure that all zones have Zone Protection Profiles with all Reconnaissance\r\nProtection settings enabled, tuned, and set to appropriate actions\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not exist\r\nEnsure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat\r\nIntelligence Sources Exists\r\nEnsure application security policies exist when allowing traffic from an untrusted\r\nzone to a more trusted zone\r\nCortex XSOAR Deploy XSOAR Playbook - Port Scan\r\nLateral Movement\r\nThe below courses of action mitigate the following techniques:\r\nRemote Desktop Protocol [T1021.001], Lateral Tool Transfer [T1570]\r\nNext-Generation Firewalls Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist\r\nEnsure remote access capabilities for the User-ID service account are forbidden.\r\nEnsure that the User-ID Agent has minimal permissions if User-ID is enabled\r\nEnsure that User-ID is only enabled for internal trusted interfaces\r\nEnsure application security policies exist when allowing traffic from an untrusted\r\nzone to a more trusted zone\r\nEnsure that the User-ID service account does not have interactive logon rights\r\nEnsure that all zones have Zone Protection Profiles with all Reconnaissance\r\nProtection settings enabled, tuned, and set to appropriate actions\r\nEnsure that 'Include/Exclude Networks' is used if User-ID is enabled\r\nEnsure that security policies restrict User-ID Agent traffic from crossing into\r\nuntrusted zones\r\nhttps://unit42.paloaltonetworks.com/trigona-ransomware-update/\r\nPage 12 of 14\n\nEnsure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat\r\nIntelligence Sources Exists\r\nCortex XDR Prevent Configure Host Firewall Profile\r\nCortex XSOAR\r\nDeploy XSOAR Playbook - Access Investigation Playbook\r\nDeploy XSOAR Playbook - Block Account Generic\r\nThreat Prevention\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'\r\nEnsure an anti-spyware profile is configured to block on all spyware severity levels,\r\ncategories, and threats\r\nEnsure a secure antivirus profile is applied to all relevant security policies\r\nCommand and Control\r\nThe below courses of action mitigate the following techniques:\r\nRemote Access Software [T1219], Ingress Tool Transfer [T1105]\r\nNext-Generation Firewalls\r\nEnsure that the Certificate used for Decryption is Trusted\r\nEnsure application security policies exist when allowing traffic from an untrusted\r\nzone to a more trusted zone\r\nEnsure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat\r\nIntelligence Sources Exists\r\nEnsure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured\r\nEnsure 'SSL Inbound Inspection' is required for all untrusted traffic destined for\r\nservers using SSL or TLS\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not exist\r\nSetup File Blocking\r\nThreat Prevention\r\nEnsure DNS sinkholing is configured on all anti-spyware profiles in use\r\nEnsure passive DNS monitoring is set to enabled on all anti-spyware profiles in use\r\nEnsure a secure anti-spyware profile is applied to all security policies permitting\r\ntraffic to the Internet\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'\r\nEnsure an anti-spyware profile is configured to block on all spyware severity levels,\r\ncategories, and threats\r\nEnsure a secure antivirus profile is applied to all relevant security policies\r\nURL Filtering\r\nEnsure secure URL filtering is enabled for all security policies allowing traffic to the\r\nInternet\r\nEnsure all HTTP Header Logging options are enabled\r\nEnsure that PAN-DB URL Filtering is used\r\nEnsure that URL Filtering uses the action of “block” or “override” on the URL\r\ncategories\r\nEnsure that access to every URL is logged\r\nCortex XSOAR\r\nDeploy XSOAR Playbook - PAN-OS Query Logs for Indicators\r\nDeploy XSOAR Playbook - Hunting C\u0026C Communication Playbook (Deprecated)\r\nDeploy XSOAR Playbook - Block URL\r\nDeploy XSOAR Playbook - Block IP\r\nCortex XDR Prevent XDR BIOCs / ABIOCs\r\nImpact\r\nhttps://unit42.paloaltonetworks.com/trigona-ransomware-update/\r\nPage 13 of 14\n\nThe below courses of action mitigate the following techniques:\r\nData Encrypted for Impact [T1486], Service Stop [T1489], Inhibit System Recovery [T1490]\r\nCortex XSOAR\r\nDeploy XSOAR Playbook - Ransomware Manual for incident response.\r\nDeploy XSOAR Playbook - Palo Alto Networks Endpoint Malware Investigation\r\nTable 1. Product Protection Guide.\r\nUpdated March 16, 2023, at 10:13 a.m. PT.\r\nTable of Contents\r\nExecutive Summary\r\nTrigona Overview\r\nRansomware Analysis\r\nRansomware Binary\r\nRansom Note\r\nVictimology\r\nLeak Site Analysis\r\nSimilarities to CryLock Ransomware\r\nTools and Techniques\r\nNetScan\r\nStart.bat\r\nTurnoff.bat\r\nNewuser.bat\r\nDC2.exe\r\nDC4.exe\r\nDC6.exe\r\nTTPs\r\nConclusion\r\nIndicators of Compromise\r\nAdditional Resources\r\nProduct Protection Guide\r\nTable 1. Product Protection Guide.\r\nRelated Articles\r\nThreat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug. 1, 2025)\r\nMuddled Libra Threat Assessment: Further-Reaching, Faster, More Impactful\r\nThreat Group Assessment: Muddled Libra (Updated May 16, 2025)\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/trigona-ransomware-update/\r\nhttps://unit42.paloaltonetworks.com/trigona-ransomware-update/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/trigona-ransomware-update/" ], "report_names": [ "trigona-ransomware-update" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434152, "ts_updated_at": 1775791852, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5a8f4e8e6725406ab218d356ea9fb32e7519ac46.pdf", "text": "https://archive.orkl.eu/5a8f4e8e6725406ab218d356ea9fb32e7519ac46.txt", "img": "https://archive.orkl.eu/5a8f4e8e6725406ab218d356ea9fb32e7519ac46.jpg" } }