November 30, 2022

The Malware Hunter Team claims to have discovered Trigona, a new encrypting ransomware variant. The malware appears to be a rebranded variant of an older ransomware strain. And this hacking group is unique in that they accept Monero as ransom payments.

Trigona was a well-known game hosted on Chinese servers that operated under the same name until September 2020. It also accepts command line arguments that specify whether local or network files should be encrypted, whether a Windows autorun key should be added, and whether a test victim ID (VID) or campaign ID (CID) should be used.

It uses command line arguments: /full /!autorun /test_cid /test_vid /path /!local /!lan /autorun_only and encrypts all files on a device except those in specific folders, such as the Windows and Program Files folders, then renames the encrypted files to use the ._locked extension. The ransomware also embeds the encrypted decryption key, the campaign ID, and the victim ID in the encrypted files.

It is unclear, however, how the operation breaches networks or deploys ransomware. However, it is known that it sends out ransom notes called how to decrypt.hta, which contain information about the attack, a link to the Tor negotiation site, and a link that copies an authorization key into the Windows clipboard, which is required to log in to the Tor negotiation site.

The sources for this piece include an article in BleepingComputer.