{
	"id": "ad7b0470-85dd-49a2-91a6-1d7029146356",
	"created_at": "2026-04-06T01:32:36.001361Z",
	"updated_at": "2026-04-10T03:29:40.014581Z",
	"deleted_at": null,
	"sha1_hash": "ac0581be5632816dab0eceeaaa1abe87a2325b05",
	"title": "An Overview of the Different Versions of the Trigona Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 829921,
	"plain_text": "An Overview of the Different Versions of the Trigona Ransomware\r\nBy Arianne Dela Cruz, Paul Pajares, Ivan Nicole Chavez, Ieriz Nicolle Gonzalez, Nathaniel Morales ( words)\r\nPublished: 2023-06-23 · Archived: 2026-04-06 01:04:21 UTC\r\nRansomware\r\nThe Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 —\r\nalthough samples of it existed as early as June 2022. Since then, Trigona’s operators have remained highly active, and in\r\nfact have been continuously updating their ransomware binaries.\r\nBy: Arianne Dela Cruz, Paul Pajares, Ivan Nicole Chavez, Ieriz Nicolle Gonzalez, Nathaniel Morales Jun 23, 2023 Read\r\ntime: 6 min (1520 words)\r\n \r\nSave to Folio\r\nThe Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 —\r\nalthough samples of it existed as early as June 2022. Since then, Trigona’s operators have remained highly active, and in\r\nfact have been continuously updating their ransomware binaries. By April 2023, Trigona began targeting compromised\r\nMSSQL servers by stealing credentials via brute force methods. In May 2023, we found a Linux version of Trigona that\r\nshared similarities with its Windows counterpart.\r\nThe threat actors behind Trigona are allegedly the same group behind the CryLock ransomware due to similarities in\r\ntools, tactics, and procedures (TTPs). It has also been linked to the ALPHV group (also known as BlackCat), though we\r\nbelieve that any similarities between Trigona and BlackCat ransomware are only circumstantial at best (one possibility is\r\nthat ALPHV collaborated with the threat actors deploying Trigona but were not actually involved with its development\r\nand operation).\r\nTarget countries and industries\r\nBased on Trend Micro™ Smart Protection Network™ data, US and India were the countries with the highest number of\r\nTrigona ransomware detections, with Israel, Turkey, Brazil, and Italy also having a significant count.\r\nMeanwhile, attacks focused mainly on the technology and healthcare industries, which had the highest number of\r\ndetections.\r\nhttps://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html\r\nPage 1 of 12\n\nFigure 1. Trigona ransomware detections based on country\r\nFigure 1. Trigona ransomware detections based on industry\r\nInfection chain\r\nhttps://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html\r\nPage 2 of 12\n\nFigure 3. The Trigona ransomware infection chain (based on Palo Alto’s analysis of Trigona)\r\nTrigona was found to be exploiting the ManageEngine vulnerability CVE-2021-40539 for initial access based on a report\r\nfrom Arete. In addition, the threat actors used previously compromised accounts by obtaining access from network\r\naccess brokers.\r\nIt uses a variety of tools for lateral movement, including Splashtop (a legitimate remote access tool), which is used to\r\ndrop further additional tools on a compromised machine.\r\nTrigona drops a file called turnoff.bat (detected as Trojan.BAT.TASKILL.AE) to terminate AV-related services and\r\nprocesses. It also uses Network Scanner and Advanced Port Scanner to identify network connections.\r\nBased on AhnLab’s analysis, Trigona’s operators use CLR shell on attacks launched against MS-SQL servers. This tool\r\nis capable of multiple commands, including one that drops additional executables for privilege escalation (nt.exe).\r\nhttps://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html\r\nPage 3 of 12\n\nFigure 4. Infection chain for compromised SQL server (Based on AhnLab’s analysis)\r\nTrigona encrypts files in infected machines using AES encryption. Furthermore, the ransomware contains an encrypted\r\nconfiguration in its resource section which is decrypted upon execution. However, it will only use certain strings within\r\nits configuration. Trigona also randomizes the file names of encrypted files and appends the ._locked extension upon\r\nencryption.\r\nTrigona’s operators employ the credential dumper Mimikatz to gather the passwords and credentials found on the\r\nmachines of the victims.\r\nLinux Version\r\nIn May 2023, our threat hunting team found a Linux ransomware binary that had a sparse number of detections. Upon\r\nfurther verification, we confirmed these binaries to be a Linux version of Trigona. Like its 32-bit Windows counterpart,\r\nthis binary accepts command-line arguments for execution.\r\nhttps://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html\r\nPage 4 of 12\n\nFigure 5. Code snippet showing command-line arguments from the Linux version of Trigona\r\nThe ransom note dropped by the binary (how_to_decrypt.txt) contains only an email address of the threat actor behind\r\nthe attack. This may indicate that the Linux version is still a work in progress.\r\nFigure 6. Ransom note dropped by the Linux version of Trigona\r\nhttps://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html\r\nPage 5 of 12\n\nWindows 64-bit version\r\nIn June 2023, we encountered a new version of Trigona ransomware, this time designed for Windows 64-bit platforms.\r\nThis version implements additional command-line arguments that were not present with the Linux version and the\r\noriginal 32-bit version (such as /sleep and /debug). \r\nFigure 7. Snippet showing command-line arguments from the 64-bit Windows version of Trigona\r\nCommand-line arguments\r\nTable 1 summarizes the command-line arguments used by each of the different versions of Trigona:\r\n32-bit\r\nWindows\r\n64-bit\r\nWindows\r\nLinux Description\r\n/r /r   Allows the encryption of files in a random order\r\n/full /full /full\r\nEncrypt the whole content of the target file (if not used, only the\r\nfirst 0x80000 bytes/512kb are encrypted)\r\nhttps://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html\r\nPage 6 of 12\n\n/erase /erase /erase\r\nDeletes the content of the target files. (By default, only the first\r\n512kb is erased unless the argument /full is used)\r\n/!autorun /!autorun   Does not create the autorun registry entry.\r\n/is_testing /is_testing /is_testing Used with /test_cid and /test_vid for testing purposes\r\n/test_cid /test_cid /test_cid Uses the specified Computer ID instead of generating one\r\n/test_vid /test_vid /test_vid\r\nUses the specified Victim ID instead of the one in the\r\nconfigurations\r\n/p /p /p Specifies the path to encrypt\r\n/path /path /path Specifies the path to encrypt\r\n/!local /!local   Avoids encrypting local files\r\n/!lan /!lan   Avoids encrypting network shares\r\n/shdwn /shdwn /shutdown Forces shutdown of the machine after encryption\r\n/autorun_only /autorun_only  \r\nCreates an autorun registry that will execute the ransomware\r\nupon logon. This will not perform the encryption yet.\r\n  /sleep   Sleeps for n seconds before execution\r\n  /debug   Executes in debug mode, need to be executed with /p\r\n  /log_f   specifies the log file for logging\r\n  /fast    \r\n  /allow_system   Allows encryption of files in the system directory\r\nTable 1. Command-line arguments used by each Trigona version\r\nEncryption\r\nAll versions of Trigona employ  TDCP_rijndael (AES) to encrypt the target files depending on the configurations set in\r\nits resource section. \r\nhttps://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html\r\nPage 7 of 12\n\nFigure 8. The Linux version of Trigona using AES for encryption\r\nEncrypted files are either renamed with encrypted strings or with an additional prepended string available_for_trial, then\r\nappended by the ._locked extension. \r\nhttps://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html\r\nPage 8 of 12\n\nFigure 9. Files encrypted by Trigona\r\nTo pressure victims into paying the ransom, the Trigona leak site contains a countdown timer and bidding options for\r\nparties interested in acquiring access to the leaked data. The attackers provide each victim with an authorization key that\r\nthey can use to register on the negotiation portal provided by Trigona.\r\nTrigona leak site update\r\nThe Trigona ransomware group employs a double extortion scheme. In addition to the main leak site which displays the\r\nlist of victim companies, Trigona’s operators also use a Tor site where victims can communicate with the threat actor\r\ngroup to negotiate for the decryption tool. Interestingly, they also flag those victims that have already paid.\r\nThe report from Palo Alto revealed t an IP address hosting the leak site under the name \"Trigona Leaks\" and using port\r\n8000. Additionally, another IP address titled \"Leaks\" was uncovered, which also employed port 8000 and shared the\r\nsame IP range as the previously mentioned leak site-connected IP address.\r\nDuring our investigation, we found another IP address on June 3 that was still active at the time of writing. This IP\r\naddress, which uses port 3000 and the title Blog, is within the IP range of the previous addresses. We surmise that the\r\nthreat actor relocates some of its infrastructure when their IP address is exposed. Using this third leak site, we were able\r\nto find their file storage site (aeey7hxzgl6zowiwhteo5xjbf6sb36tkbn5hptykgmbsjrbiygv4c4id[.]onion). This site hosts\r\ncritical data stolen from victims such as documents, contracts, and other large amounts of data.\r\nThe Trigona ransomware group has poor operational security when it comes to the implementation of Tor sites —\r\nalthough their aim of targeting poorly-managed SQL servers is not something we usually see with less technically-proficient threat actors. Our ransomware spotlight on TargetCompany shows another group using a similar technique of\r\ntargeting SQL servers.\r\nhttps://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html\r\nPage 9 of 12\n\nFigure 10. Main leak site of Trigona\r\nFigure 11. Trigona leak site found via Shodan on June 3, 2023\r\nhttps://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html\r\nPage 10 of 12\n\nFigure 12. The file storage Tor site of Trigona using the title “test”\r\nConclusion and recommendations\r\nThe Trigona ransomware currently maintains a relatively low profile when compared to more widespread families,\r\nallowing it to operate covertly. Nonetheless, due to its continuous evolution and increased activity, we anticipate that\r\nTrigona will gain prominence in the near future. Furthermore, it joins the growing list of ransomware groups that have\r\ndeveloped a Linux version to try and capitalize on the expanding high-value Linux market, adding evidence that\r\nTrigona’s operators are trying to expand their reach as much as possible. Therefore, it is crucial for individuals and\r\norganizations to familiarize themselves with this ransomware to prevent potential harm.\r\nTo safeguard systems against ransomware attacks, it is advisable for organizations to adopt effective measures. These\r\ninclude implementing data protection protocols and establishing backup and recovery procedures to ensure that data\r\nremains secure and can be restored in case of encryption or even deletion. Conducting routine vulnerability assessments\r\nand promptly patching systems can significantly reduce the impact of ransomware attacks that exploit vulnerabilities.\r\nWe recommend the following security precautions:\r\n1. Enable multifactor authentication (MFA) to hinder attackers from moving laterally within a network and\r\naccessing sensitive information.\r\n2. Follow the 3-2-1 rule when creating backups for important files. This involves generating three backup copies\r\nstored in two different file formats, with one copy stored in a separate location. This ensures redundancy and\r\nminimizes the risk of data loss.\r\n3. Update and patch systems regularly. It is important to keep applications and operating systems up to date and\r\nestablish robust patch management protocols to prevent malicious actors from exploiting software vulnerabilities.\r\nIndicators of Compromise\r\nSHA256 Detection name\r\nf1e2a7f5fd6ee0c21928b1cae6e66724c4537052f8676feeaa18e84cf3c0c663 Ransom.Linux.TRIGONA.THCBBBC \r\n951fad30e91adae94ded90c60b80d29654918f90e76b05491b014b8810269f74 Ransom.Linux.TRIGONA.THEAFBC \r\nd0268d29e6d26d726adb848eff991754486880ebfd7afffb3bb2a9e91a1dbb7c Ransom.Win64.TRIGONA.YXDFIZ\r\nhttps://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html\r\nPage 11 of 12\n\na891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9 Ransom.Win64.TRIGONA.THFOIBC\r\n2b40a804a6fc99f6643f8320d2668ebd2544f34833701300e34960b048485357 Ransom.Win64.TRIGONA.YXDFOZ\r\n8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376 Ransom.Win32.TRIGONA.YPDDZ\r\nfb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b Ransom.Win32.TRIGONA.YMDBJ\r\n41c9080f9c90e00a431b2fb04b461584abe68576996379a97469a71be42fc6ff Ransom.Win64.TRIGONA.YXDFUZ\r\nc7a930f1ca5670978aa6d323d16c03a97d897c77f5cff68185c8393830a6083f Trojan.MSIL.TRIGONA.YCDCT\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html\r\nhttps://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html\r\nPage 12 of 12\n\n https://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html  \nFigure 1. Trigona ransomware detections based on country\nFigure 1. Trigona ransomware detections based on industry\nInfection chain   \n   Page 2 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html"
	],
	"report_names": [
		"an-overview-of-the-trigona-ransomware.html"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439156,
	"ts_updated_at": 1775791780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ac0581be5632816dab0eceeaaa1abe87a2325b05.pdf",
		"text": "https://archive.orkl.eu/ac0581be5632816dab0eceeaaa1abe87a2325b05.txt",
		"img": "https://archive.orkl.eu/ac0581be5632816dab0eceeaaa1abe87a2325b05.jpg"
	}
}