Trigona Ransomware: Complete Guide

Trigona is a ransomware that encrypts files and adds the ._locked extension to them, e.g. photo1.jpg is renamed photo1.jpg._locked. It targets Microsoft Windows users, especially SQL servers.

This ransomware variant was first seen in October 2022. Trigona ransomware uses the double extortion tactic in which the ransomware first exfiltrates the server’s data and then encrypts it. Then, the attackers threaten to leak the exfiltrated information, usually sensitive and critical data, unless the victim pays their ransom demands.

What kind of malware is Trigona?

Trigona is ransomware, which is a type of malware that encrypts and locks the victims’ files and then requests a ransom in exchange for the decryption key. This is a ransomware family and it’s written in the Delphi programming language.

Since Trigona uses symmetric or asymmetric cryptography, recovering the files without a backup is extremely hard. But not impossible. SalvageData ransomware recovery experts can work with your data and securely restore it.

Everything we know about Trigona Ransomware

Confirmed Name

• Trigona virus

Threat Type

• Ransomware
• Crypto Virus
• Files locker

Encrypted Files Extension

• ._locked

Ransom Demanding Message

• how_to_decrypt.hta

Is There a Free Decryptor Available?

No, Trigona ransomware does not have a decryptor

Detection Names

• Avast Win32:RansomX-gen [Ransom]

• AVG Win32:RansomX-gen [Ransom]

• Emsisoft Generic.Ransom.Trigona.A.A4161FC2 (B)

• Kaspersky HEUR:Trojan-Ransom.Win32.KlopRansom.g

• Malwarebytes Ransom.CryLocker

• Microsoft Ransom:Win32/Trigona.SA!MTB

Ransomware family, type & variant

• Trigona is a ransomware family
• It has similar tactics and tools to CryLock ransomware
• It’s also linked to the ALPHV (BlackCat) group

Distribution methods

• Poorly secured Interned-exposed Microsoft SQL (MS-SQL) servers
• Stolen credentials
• Vulnerable RDP
• Infected email attachments (phishing emails)

Consequences

• Files are encrypted and locked until the ransom payment
• Password stealing
• Additional malware can be installed
• Data leak

Trigona domains (TOR browser)

• hxxp://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad[.]onion
• 45.227.253[.]99

Trigona ransomware symptoms

• Can’t open files stored on the computer
• Ransom demand letter on the desktop and every folder
• Files have a new extension (e.g. filename1._locked)
• A note with instructions pops up when the victim tries to open an encrypted file

What is in Trigona’s ransom note

This is a sample of the Trigona ransom note:

How does Trigona infect a system

Trigona ransomware exploits poorly secured Interned-exposed Microsoft SQL (MS-SQL) servers. It finds its way into your computer or network by brute force or taking advantage of weak and easy-to-guess credentials accounts.

Attackers will exploit remote control tools whose credentials are known, reused, weak, or rephrased to gain access to businesses’ networks and leak data.

Hackers also use software with known vulnerabilities to attack businesses. That’s why it’s very important to also keep every software updated and protect remote administration tools like RDP.

How does Trigona work

Trigona ransomware attacks Windows defenses and attempts to disable Windows Defender and remove the Microsoft Security Essentials. That’s why keeping Windows OS updated is also very important for cybersecurity. New updates can have improved protection layers against ransomware such as Trigona.

Also, Trigona ransomware targets businesses and enterprises aiming for their financial records, emails, and even backups. So, always keep at least one updated backup offline to prevent having the data stolen by cybercriminals.

Trigona uses a combination of an asymmetric encryption algorithm, the RSA (Rivest–Shamir–Adleman), and a symmetric encryption algorithm, the AES (Advanced Encryption Standard).

Recently, Trigona ransomware added data wiper functionality. It is triggered by the /erase command line and has the ability to overwrite files with NULL bytes.

Contacting a ransomware removal service can not only restore your files but also remove any potential threat.

How to handle a Trigona ransomware attack

The first step to recover from the Trigona attack is to isolate the infected computer by disconnecting from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).

To report a ransomware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with Trigona actors (if you have them)
• A sample of an encrypted file

However, if you prefer to contact professionals, then do nothing. Leave every infected machine the way it’s and ask for an emergency ransomware removal service. Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload, might be reverse-engineered and lead to decryption of the data or understanding how it operates.

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

1. Contact your Incident Response provider

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively in the event of a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. The specific nature and structure of an incident response retainer will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

If you contact your IR service provider, then they will take care of everything else. However, if you decide to remove the ransomware and recover the files with your IT team, then you can follow the next steps.

2. Identify the ransomware infection

You can identify which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), or it will be on the ransom note. With this information, you can look for a public decryption key.

You can also check the ransomware type by its IOCs. Indicators of Compromise (IOCs) are digital clues that cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

Trigona Ransomware IOCs

Indicators of Compromise (IOCs) are artifacts observed on a network or in an operating system that indicate a computer intrusion with high confidence. IOCs can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.

Hashes of droppers are unique identifiers of malware files that are used to detect and analyze malicious activity.

These are Trigona’s hashes of droppers:

• 248e7d2463bbfee6e3141b7e55fa87d73eba50a7daa25bed40a03ee82e93d7db
• 596cf4cc2bbe87d5f19cca11561a93785b6f0e8fa51989bf7db7619582f25864
• 704f1655ce9127d7aab6d82660b48a127b5f00cadd7282acb03c440f21dae5e2
• 859e62c87826a759dbff2594927ead2b5fd23031b37b53233062f68549222311
• 8f8d01131ef7a66fd220dc91388e3c21988d975d54b6e69befd06ad7de9f6079
• 97c79199c2f3f2edf2fdc8c59c8770e1cb8726e7e441da2c4162470a710b35f5
• a86ed15ca8d1da51ca14e55d12b4965fb352b80e75d064df9413954f4e1be0a7
• accd5bcf57e8f9ef803079396f525955d2cfffbf5fe8279f744ee17a7c7b9aac
• da32b322268455757a4ef22bdeb009c58eaca9717113f1597675c50e6a36960a
• e7c9ec3048d3ea5b16dce31ec01fd0f1a965f5ae1cbc1276d35e224831d307fc
• e97de28072dd10cde0e778604762aa26ebcb4cef505000d95b4fb95872ad741b
• f29b948905449f330d2e5070d767d0dac4837d0b566eee28282dc78749083684
• fa6f869798d289ee7b70d00a649145b01a93f425257c05394663ff48c7877b0d
• fbba6f4fd457dec3e85be2a628e31378dc8d395ae8a927b2dde40880701879f2
• fd25d5aca273485dec73260bdee67e5ff876eaa687b157250dfa792892f6a1b6

3. Remove the ransomware and eliminate exploit kits

Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.

4. Use a backup to restore the data

Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.

5. Contact a ransomware recovery service

If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, you should contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup of it. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and guarantee Trigona ransomware does not attack your network again.

Contact our experts 24/7 for emergency recovery service or find a recovery center near you.

Prevent the Trigona ransomware attack

Preventing ransomware is the best solution for data security. is easier and cheaper than recovering from them. Trigona ransomware can cost your business’s future and even close its doors.

These are a few tips to ensure you can avoid ransomware attacks:

• Antivirus and anti-malware
• Use cybersecurity solutions
• Use strong passwords
• Updated software
• Updated operating system (OS)
• Firewalls
• Have a recovery plan in hand (See how to create a data recovery plan with our in-depth guide)
• Schedule regular backups
• Don’t open an email attachment from an unknown source
• Do not download files from suspicious websites
• Don’t click on ads unless you’re sure it’s safe
• Only access websites from trustworthy sources