Ukrainian Hacktivists Claim Trigona Ransomware Takedown

Fraud Management & Cybercrime

Data From Trigona’s Servers Exfiltrated and Wiped Out, Reads a Note on Leak Site

Ukrainian Hacktivists Claim Trigona Ransomware Takedown
A screenshot of the Trigona ransomware leak site taken on Oct. 18, 2023

Pro-Ukrainian hackers claimed responsibility for wiping the servers of the Trigona ransomware gang, a recently formed group that may have links to the Russian cybercriminal underground.

See Also: Navigating the Regulatory Landscape: Rising GRC Trends and Data Breach Risks

The Ukrainian Cyber Alliance, a hacktivist collective, on Wednesday tweeted a screenshot of the gang’s apparently defaced dark web leak site now displaying a message that “Trigona is gone. The servers of the Trigona ransomware gang has been exfiltrated and wiped out. Welcome to the world you created for others. Hacked by Ukrainian Cyber Alliance.” Trigona dark web sites appeared to be offline as of Wednesday afternoon.

The same message appeared on the hacktivist group’s Telegram channel. The group claims to be a community of cyber activists from various cities in Ukraine. Inform Napalm said the Ukrainian Cyber Alliance formed in 2016 through a merger of separate hacktivist groups.

A hacktivist that goes by the moniker @vx_herm1t on X, formerly known as Twitter, who asserts he is a member of this Ukrainian Cyber Alliance posted in a tweet thread what he said was the Trigona administrator panel access URL and the key for logging in. A self-proclaimed spokesperson for the Ukrainian Cyber Alliance on Facebook going by the name “Sean Brian Townsend” posted a similar message while making light of Russian ransomware hackers’ abilities. “Ransomware is the scavenger of the computer world. They are weak. ‘Terrible Russian hackers,’ yeah, yeah,” he wrote in Russian, according to a machine translation.

Malware Hunter Team confirmed the defacement of the Trigona leak and payment site and said the incident came only days after @vx_herm1t tweeted about hacking into Trigona’s Confluence server.

Trigona’s ransom notes are unique. Rather than the usual text file, they are an HTML application with embedded JavaScript containing unique computer IDs and victim IDs, cybersecurity firm Palo Alto Networks wrote in March. The HTML application file is named how_to_decrypt.hta.

Trigona ransomware is a relatively new strain that security researchers first spotted late last October. Palo Alto determined that Trigona was very active during December, with at least 15 potential victims. Affected organizations were mainly from manufacturing, finance, construction, agriculture, marketing and high- tech industries.

AhnLab in April discovered Trigona ransomware on poorly managed Microsoft SQL Server instances. SentinelOne has said the criminal group uses aggressive deadlines with victims in an attempt to intimidate them into paying extortion.

Cybersecurity firm Arete in February said Trigona had exploited ManageEngine vulnerability CVE-2021-40539 for initial access. An Arete report found evidence linking Trigona with BlackCat, also known as Alphv, a Russian-speaking criminal group suspected of being a successor to DarkSide and BlackMatter, with ties to former REvil members.

“Trigona explicitly communicated to victims via email and voicemail identifying themselves as Alphv (BlackCat), as well as Trigona.’ Second, when the threat actor pressured one of their victims to pay the ransom demand, they shared a Tor link to an Alphv private blog page,” Arete wrote.

The evidence isn’t enough to establish that the two groups are actually the same, Arete concluded. It also said that Trigona and BlackCat “use different ransomware, exploit different vulnerabilities, and demonstrate different communication tactics.”

TrendMicro came to a similar conclusion, writing in June that overlaps between the two groups are “only circumstantial at best.” One possibility is that BlackCat collaborated with Trigona hackers but was not actually involved with the development and operation of the new ransomware group.