Trigona Ransomware
The Trigona Ransomware is a harmful threat that appears to be mostly leveraged against business entities. The threat will target the data stored on the breached devices and encrypt it using a sufficiently strong cryptographic algorithm. Attacks using the Trigona Ransomware have already impacted numerous organizations, including a real estate company and a village in Germany. The name of the threat and threat actor organization appears to be based on a family of stingless bees. The hackers have even created a logo for themselves of what appears to be a person in a cybernetic bee costume.
The impacted victims will no longer be able to access most of their documents, PDFs, images, databases, archives, etc., losing potentially vital and sensitive information effectively. Each locked file will have '._locked' appended to its original name. In addition, a ransom note will be presented to the victims as a new window created from a file named 'how_to_decrypt.hta.'
The Trigona Ransomware Details
To avoid causing critical system errors, the threat will skip certain folders, such as the Windows and Program Files locations. Trigona also will execute several command-line arguments, as a way to check if local or network files have already been encrypted, if a Windows autorun key is available, or whether to use a VID (test Victim ID) or CID (Campaign ID). The identified command line arguments include:
/full
/!autorun
/test_cid
/test_vid
/path
/!local
/!lan
/autorun_only
Ransom Note and Demands
The threat actors behind the Trigona Ransomware warn that, besides encrypting the victim's files, they also collect sensitive information that may be leaked to the public. The threat's ransom note also clarifies that the price of the ransom demanded by the attackers will increase with each passing hour. Apparently, the only way to reach the cybercriminals is via their dedicated website hosted on the TOR network. The ransom note mentions that victims can send up to 3 files for free decryption, but the hackers' website states that a total of five files can be unlocked. However, the chosen files must be less than 5 MB each. The site also clarifies that only ransom payments made using the Monero cryptocurrency will be accepted.
The full text of Trigona Ransomware's note is:
'THE ENTIRE NETWORK IS ENCRYPTED
YOUR BUSINESS IS LOSING MONEY
All documents, databases, backups and other critical data were encrypted and leaked
The program uses a secure AES algorithm, which makes decryption impossible without contacting us
If you refuse to negotiate, the data will be auctioned off
To recover your data, please follow the instructions
Download Tor Browser
Open decryption page
Auth using this key
The price depends on how soon you will contact us
Need help?
Don't doubt
You can decrypt 3 files for free as a guarantee
Don't waste time
Decryption price increases every hour
Don't contact resellers
They resell our services at a premium
Don't recover files
Additional recovery software will damage your data'
