Read Time:1 Minute, 44 Second

A new strain of ransomware, dubbed Trigona, has been identified to be highly active over the past several months. The strain was named after a family of stingless bees and was first discovered in October 2022. Trigona was reportedly highly active in December 2022, and security experts are scrambling to learn more about this new strain.

Unit 42 researchers identified that Trigona affected manufacturing, finance, construction, marketing, and high-technology organizations. According to the researchers, “Trigona’s threat operator engages in behaviours such as obtaining initial access to a target’s environment, conducting reconnaissance, transferring malware via remote monitoring and management (RMM) software, creating new user accounts, and deploying ransomware.”

The researchers also noted that the operators had reached a global scale, already being identified in countries like Australia, Italy, France, Germany, New Zealand, and the US. According to experts, one of the main features that set Trigona apart from other file-encrypting ransomware out there is the use of a .hta ransomware note that contains JavaScript code to display payment instructions to the victim.”

Furthermore, JavaScript contains the victim’s unique identifier. It also includes a link to a Tor portal for negotiation between the victim and attacker and an email address. Leading cybersecurity company Palo Alto Networks reported that at least 15 companies might have been compromised in December 2022. The company also stated that it had found several other ransom notes between January and February 2023.

Unit 42 added that “Some of the tools observed in Trigona attacks include NetScan (for reconnaissance), Start.bat batch script (copies files to a newly created folder), Turnoff.bat (a cleanup script), Newuser.bat (creates a new user account), Mimikatz, DC4.exe (executes a batch file to disable UAC, opens specific firewall ports, and enables remote desktop connections), and Advanced Port Scanner.”

The ransomware operators also utilise leak sites to shame their victims, coercing them to pay the ransom demanded. Posts on the leak site typically have a brief description of the company, and type of data hacked, and a bid button for anyone to purchase it.

About Post Author

Mitchell Eaton

mitchellsamueleaton@gmail.com
Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %
Total
0
Shares
Share 0
Tweet 0
Pin it 0
Share 0
0 0
In, , ,
Previous post AU Government Pressured To Give Clarity On Chinese Social Media Ban
Next post Latest Hack Of Australian Personal Lender Firm Exposes Thousands Of IDs

More Stories