Overwrites default victim generated CID and replace with “test” value Skips creation of registry keys for persistence Creates two registry keys for persistence, one for the ransomware binary and another for the ransom note. Performs all functions of the ransomware. The ransomware binary supports the following command line arguments: Argument _locked file extension, modifies registry keys to maintain persistence, and drops ransom notes. Upon execution, the ransomware binary uses TDCP_rijndael (a Delphi AES library) to encrypt files. Unit 42 obtained and analyzed a sample of the Trigona ransomware binary, named svhost.exe. Unit 42 researchers have observed Trigona’s threat operator engaging in behavior such as obtaining initial access to a target’s environment, conducting reconnaissance, transferring malware via remote monitoring and management (RMM) software, creating new user accounts and deploying ransomware. Unit 42 consultants also have seen Trigona firsthand in the course of incident response. Malware samples were passed to BleepingComputer, which in turn published a blog post on the ransomware on Nov. The first mention of Trigona, also the name of a family of stingless bees, comes from a tweet by security researchers in late October 2022. Product Protection Guide Trigona Overview Ransomware, Ransomware Threat Report, CryLock Palo Alto Networks helps detect and prevent Trigona ransomware with the following products and services: Cortex XDR, Prisma Cloud and Next-Generation Firewalls (including cloud-delivered security subscriptions such as WildFire) and through incident response. Trigona’s ransom notes are unique rather than the usual text file, they are instead presented in an HTML Application with embedded JavaScript containing unique computer IDs (CID) and victim IDs (VID). Unit 42 researchers identified two new Trigona ransom notes in January 2023 and two in February 2023. Affected organizations are in the manufacturing, finance, construction, agriculture, marketing and high technology industries. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident response, we determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised. Trigona ransomware is a relatively new strain that security researchers first discovered in late October 2022.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |