Fraud Management & Cybercrime , Ransomware

Ukrainian Hacktivists Claim Trigona Ransomware Takedown

Data From Trigona's Servers Exfiltrated and Wiped Out, Reads a Note on Leak Site
Ukrainian Hacktivists Claim Trigona Ransomware Takedown
A screenshot of the Trigona ransomware leak site taken on Oct. 18, 2023

Pro-Ukrainian hackers claimed responsibility for wiping the servers of the Trigona ransomware gang, a recently formed group that may have links to the Russian cybercriminal underground.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

The Ukrainian Cyber Alliance, a hacktivist collective, on Wednesday tweeted a screenshot of the gang's apparently defaced dark web leak site now displaying a message that "Trigona is gone. The servers of the Trigona ransomware gang has been exfiltrated and wiped out. Welcome to the world you created for others. Hacked by Ukrainian Cyber Alliance." Trigona dark web sites appeared to be offline as of Wednesday afternoon.

The same message appeared on the hacktivist group's Telegram channel. The group claims to be a community of cyber activists from various cities in Ukraine. Inform Napalm said the Ukrainian Cyber Alliance formed in 2016 through a merger of separate hacktivist groups.

A hacktivist that goes by the moniker @vx_herm1t on X, formerly known as Twitter, who asserts he is a member of this Ukrainian Cyber Alliance posted in a tweet thread what he said was the Trigona administrator panel access URL and the key for logging in. A self-proclaimed spokesperson for the Ukrainian Cyber Alliance on Facebook going by the name "Sean Brian Townsend" posted a similar message while making light of Russian ransomware hackers' abilities. "Ransomware is the scavenger of the computer world. They are weak. 'Terrible Russian hackers,' yeah, yeah," he wrote in Russian, according to a machine translation.

Malware Hunter Team confirmed the defacement of the Trigona leak and payment site and said the incident came only days after @vx_herm1t tweeted about hacking into Trigona's Confluence server.

@vx_herm1t told Information Security Media Group that the Ukrainian Cyber Alliance had used a recently disclosed CVE-2023-22515 vulnerability in Confluence to hack the Trigona server.*

"Despite the efforts of their admins who changed passwords and shut down their infra facing the internet (not TOR) we were able to maintain persistent access to infra, exfiltrated all the data and wiped the servers. It included administration panel, landing page for victims, blog, leaks site, monero hot wallets, dev environment and internal team server (with Rocket Chat, Confluence and Jira)," @vx_herm1t said.

He said the group penetrated the Monero wallets after finding two hardcoded passwords, but "they were empty."

Trigona's ransom notes are unique. Rather than the usual text file, they are an HTML application with embedded JavaScript containing unique computer IDs and victim IDs, cybersecurity firm Palo Alto Networks wrote in March. The HTML application file is named how_to_decrypt.hta.

Trigona ransomware is a relatively new strain that security researchers first spotted late last October. Palo Alto determined that Trigona was very active during December, with at least 15 potential victims. Affected organizations were mainly from manufacturing, finance, construction, agriculture, marketing and high- tech industries.

AhnLab in April discovered Trigona ransomware on poorly managed Microsoft SQL Server instances. SentinelOne has said the criminal group uses aggressive deadlines with victims in an attempt to intimidate them into paying extortion.

Cybersecurity firm Arete in February said Trigona had exploited ManageEngine vulnerability CVE-2021-40539 for initial access. An Arete report found evidence linking Trigona with BlackCat, also known as Alphv, a Russian-speaking criminal group suspected of being a successor to DarkSide and BlackMatter, with ties to former REvil members.

"Trigona explicitly communicated to victims via email and voicemail identifying themselves as Alphv (BlackCat), as well as Trigona.' Second, when the threat actor pressured one of their victims to pay the ransom demand, they shared a Tor link to an Alphv private blog page," Arete wrote.

The evidence isn't enough to establish that the two groups are actually the same, Arete concluded. It also said that Trigona and BlackCat "use different ransomware, exploit different vulnerabilities, and demonstrate different communication tactics."

TrendMicro came to a similar conclusion, writing in June that overlaps between the two groups are "only circumstantial at best." One possibility is that BlackCat collaborated with Trigona hackers but was not actually involved with the development and operation of the new ransomware group.

*Updated Oct. 19, 2023 19:25 UTC: Adds comment from @vx_herm1t.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.