Also known as: \Win32:RansomX-gen [Ransom], Variant.Fragtor.168126, Trojan-Ransom.Win32.Generic, Trojan:Win32/Wacatac.B!ml, Ransom:Win32/Trigona.SA!MTB, Generic.Ransom.Trigona.A.A4161FC2 (B)
Type: Ransomware, crypto virus, files locker
Platform: Windows, Linux
Variants: Linux variant
Trigona is a strain of ransomware that first surfaced in June of 2022 and caught the attention of malware researchers by October 2023. It primarily targets Windows SQL servers, but variants designed to prey on Linux have been observed in 2023. In October 2023, the Ukrainian Cyber Alliance (UCA) hacktivist group announced that it had successfully disrupted Trigona’s operations.
Trigona encrypts the victim’s files and demands payment for the decryption key — and if the victim refuses to pay, the hackers further threaten to auction the data off to other criminal groups (a tactic known as “double extortion”). In addition, Trigona often deploys Mimikats, a credential dumper, to steal login information stored on the device.
The most obvious symptom of a Trigona infection is discovering that your files have been replaced by encrypted versions. The encrypted files have a “._locked” extension added to their filenames. Trigona will also create a “how_to_decrypt.hta” file with the ransom demand, threats to expose the files publicly, and instructions on how to decrypt the stolen files on Trigona’s website.
Other possible indicators of a Trigona infection include:
Your device frequently freezes or stutters.
Your device’s fan seems to be constantly on, even when the device is idle.
Your device periodically sends data to unknown remote servers (Trigona is sending copies of ransomed data to its control servers).
Sources of the infection
Trigona commonly targets servers or accounts with weak security, using brute force or leaked credential databases to get past password security. Once inside, it uses lateral movement (including exploiting legitimate remote access tools like Splashtop) to access critical areas, deliver the payload, and fully ingrain itself into the system. Less commonly, Trigona is spread through infected email attachments.
Your device may also get infected with Trigona from:
Infected files shared through messaging platforms.
Infected files downloaded from cloud storage or online repositories.
Other viruses that drop Trigona as part of their operations.
Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
Peer-to-peer (P2P) sharing of infected files.
Infected external devices, such as hard drives or USB sticks.
Because ransomware is notoriously hard to remove once deployed, the best protection against Trigona is preventive in nature. Set strong, unique passwords for your digital accounts to prevent brute force and credential stuffing attacks. In addition, learn to identify phishing emails and never click on suspicious attachments.
Other protective measures include:
Use NordPass to automatically generate, store, and safely fill in complex passwords for your accounts.
Use multi-factor authentication to protect your accounts in the event that someone steals your password.
Use NordLocker to regularly back up your files in the cloud. Having secure backups on hand lets you wipe your system and recover your assets without paying the ransom.
Use email scanning tools to identify and automatically block messages with suspicious attachments.
Avoid potentially dangerous websites like dark web pages or torrent repositories. In certain situations, these websites may attempt to download malware (including Gootkit) to your device by exploiting vulnerabilities.
Update your software and operating system to close off vulnerabilities that could be exploited by hackers.
Use NordVPN’s Threat Protection to scan programs and files for malware while they’re being downloaded. Threat Protection will also alert you if you’re about to enter a known infected website to prevent drive-by download attacks.
In the early stages of infection, Trigona can be removed using reliable antivirus software. Once Trigona has encrypted some files and posted a ransom note, trying to remove it may trigger the ransomware’s wiper function to delete the ransomed data. At this stage, you may need to isolate the infected system and wipe it clean to prevent the recurrence of Trigona.