Older Ransomware Strain Rebrands as Trigona

ransomware

Trigona ransomware is the name of a strain of file-encrypting malware.

The ransomware is believed to be a rebranding of a formerly unnamed strain. The new version includes functionality that allows the ransomware to scan the victim system for encrypted files on local drives and can encrypt files in two different modes – test victim and campaign victim.

Trigona encrypts documents, media files, archives and databases. Once files get encrypted, they receive the "._locked" extension. This process will turn a file formerly named "document.txt" into "document.txt._locked" once it gets encrypted.

The ransomware is believed to be a rebranding of a formerly unnamed strain. The new version includes functionality that allows the ransomware to scan the victim system for encrypted files on local drives and can encrypt files in two different modes – test victim and campaign victim.

The ransom note is relatively complex and is deposited inside a .HTA file called "how_to_decrypt.hta". The file has dynamic content in it, including links and clickable text that copies an authentication key needed to access the Tor page operated by the hackers behind Trigona. The note promises the decryption of up to 3 files, to prove a decryption tool exists.

The full ransom note goes as follows:



THE ENTIRE NETWORK IS ENCRYPTED
YOUR BUSINESS IS LOSING MONEY
All documents, databases, backups and other critical data were encrypted and leaked
The program uses a secure AES algorithm, which makes decryption impossible without contacting us
If you refuse to negotiate, the data will be auctioned off
To recover your data, please follow the instructions
Download Tor Browser
Open decryption page
Auth using this key
The price depends on how soon you will contact us
Need help?
Don't doubt
You can decrypt 3 files for free as a guarantee
Don't waste time
Decryption price increases every hour
Don't contact resellers
They resell our services at a premium
Don't recover files
Additional recovery software will damage your data

December 2, 2022