Skip to content
Ransomware group

Trigona

Trigona is a ransomware family and ransomware-as-a-service (RaaS) operation first observed in 2022, with public branding appearing in late October 2022.

Profile source: Mallory opens in a new tab

Trigona

Family profile

Trigona is a ransomware family and ransomware-as-a-service (RaaS) operation first observed in 2022, with public branding appearing in late October 2022. It has both Windows and Linux variants with similar functionality and uses double-extortion tactics, combining file encryption with data theft and operation of a Tor-based negotiation and leak site. The operation has been linked by Symantec to a cybercrime group it tracks as Rhantus. Trigona typically seeks payment in Monero.

On Windows, Trigona encrypts files and appends the ._locked extension, drops ransom notes such as how_to_decrypt.hta or how_to_restore_files.hta, and can establish persistence via a Run registry key. Reported capabilities include encrypting local and network files, partial or full-file encryption, filename encryption, embedding victim/campaign metadata in encrypted files, deleting shadow copies and backups, disabling recovery options, evasion via registry changes, and destructive options such as file erasure and free-space wiping. Analysis of a Windows sample described it as a Delphi PE32 console application that decrypts embedded configuration data and supports numerous command-line options.

On Linux, Trigona samples observed in the wild as late as April 2025 support configurable encryption behavior and target paths, including /vmfs/ by default in one analyzed sample. Reported options include /chattr-i, /delete, /fast, /full, and /allow_system. The Linux variant can handle file immutability via chattr, kill tasks and services, execute configured commands, optionally self-delete, and disrupt VMware ESXi environments by enumerating and powering off virtual machines using vim-cmd before encryption.

Observed intrusion vectors and deployment methods include exploitation of publicly exposed RDP hosts using valid accounts, and attacks against internet-exposed MS-SQL servers with weak credentials using brute-force or dictionary attacks. In one DFIR case, attackers used exposed RDP access, BAT scripts, account creation, privilege escalation, discovery tooling, lateral movement over RDP/SMB, exfiltration with rclone to Mega.io, and then deployed Trigona. Separate reporting states Trigona was deployed on compromised MS-SQL servers and that attackers abused Microsoft BCP to deploy payloads; one report also notes use of a Rust-based scanner in MS-SQL-focused attacks.

Recent Trigona affiliate activity in March 2026 showed a shift from public exfiltration tools such as Rclone or MegaSync to a custom command-line exfiltration utility, uploader_client.exe. Reported features include connection to an attacker-controlled hardcoded server, five parallel connections per file by default, TCP connection rotation after 2,048 MB, selective file-type exclusion, and shared-key authentication. In observed cases, attackers targeted high-value documents such as invoices and PDFs on network drives. Associated tooling in these intrusions included HRSword, PCHunter, GMER, YDark, WKTools, DumpGuard, StpProcessMonitorByovd, PowerRun, AnyDesk, Mimikatz, and Nirsoft password recovery utilities, including use of vulnerable kernel drivers to disable security products.

Known indicators and artifacts directly mentioned in the content include the ._locked extension; ransom note filenames how_to_decrypt.hta and how_to_restore_files.hta; the custom exfiltration tool uploader_client.exe; exfiltration server 163.172.105.82:1080; SHA-256 hashes 396aa1f8f308010a3c76a53965d0eddd35e41176eacd1194745d9542239ca8dc (uploader_client.exe), 6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc (HRSword), 6688fb3039ad6df606d76a897ef1072cdc78b928335c6bfa691d99498caf5c4b (Mimikatz), b066ca2702853c2fcbf686897c18f6d315be7ae753007ac2c1d73c87b0a30de9 (PowerRun), f27eab3157451e31db71169e71f76d28325193218f9dc8f421136d4a20165feb (WKTools), and c08a752138a6f0b332dfec981f20ec414ad367b7384389e0c59466b8e10655ec (Linux Trigona sample from April 2025).

Trigona infrastructure was reportedly compromised and wiped by the Ukrainian Cyber Alliance in October 2023 after exploitation of CVE-2023-22515 on a Confluence server, with claims that source code, databases, backups, and possibly decryption keys were stolen. Despite that disruption, multiple sources in the content indicate Trigona continued operating or resurfaced afterward.

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • Mimikatz

Discovery Enum

  • Advanced Port Scanner
  • SoftPerfect NetScan

Exfiltration

  • MEGA
  • RClone

Offsec

  • Cobalt Strike

RMM Tools

  • AnyDesk
  • LogMeIn
  • ScreenConnect
  • Splashtop
  • TeamViewer

Ransomware.live

Published indicators

Full source record ↗

Md5

114 total
  • f78073b1b2de009645a0254507b87a37
  • 7f7c78fb5d9fdee28996a3f12bd00fef
  • 68635ad9d12f683071611bfd34c1ec34
  • b59a9174ff768633e2cf5dfb16e516a8
  • 2c83e59eea3e6890d31adc7c518e3702
  • c62620dc472f8e2835ad3abc6acd6e35
  • c28b33f7365f9dc72cc291d13458f334
  • 2c31a750240788f924ef64a2fb4fdf3b
  • 5f3407dedd4b9bf1e57209cc2178b8dc
  • 21477e62d5ddebf6fcb1ecb8002d0c8c

Reported operators

Threat actors

3 named in public reporting
Ukrainian Cyber Alliance

Trigona ransomware was first observed in June 2022. It has Windows and Linux versions, which are similar in their functionality. On underground forums, threat actors announced the start of the affiliate program, meaning that Trigona operates as ransomware as a service.

Rhantus

Trigona ransomware now uses a custom command-line tool to steal data faster and evade detection, replacing tools like Rclone and MegaSync.

Larva-26002

In January 2024, the group first made its mark by deploying Trigona and Mimic ransomware on MS-SQL servers exposed to the internet with weak credentials.

Exploited software

Vulnerabilities linked to Trigona

1 CVEs

MITRE ATT&CK

Trigona in ATT&CK

26 distinct techniques

Reporting

Research mentioning Trigona

Apr 26
Security Affairs

Trigona ransomware adopts custom tool to steal data and evade detection

Trigona ransomware now uses a custom command-line tool to steal data faster and evade detection, replacing tools like Rclone and MegaSync.

Apr 24
Scworld

Trigona ransomware attackers use novel tool for data exfiltration | news | SC Media

Trigona ransomware affiliates are using a novel, custom tool for data exfiltration... Trigona is a ransomware-as-a-service (RaaS) group that first emerged in 2022 and uses double-extortion tactics.

Apr 24
Cyber Security News

Ransomware Hackers Develop Custom Exfiltration Tool to Steal Sensitive Data

Affiliates linked to the Trigona ransomware group have taken a more calculated approach by building their own custom data exfiltration tool... The Trigona ransomware first surfaced in late 2022 and operates under a Ransomware-as-a-Service (RaaS) model, managed by a cybercrime group known as Rhantus.

Apr 23
Data Breaches

Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft - DataBreaches.Net

Recent attacks involving the Trigona ransomware used a custom-developed tool designed to provide attackers with granular control over the data theft process. The attacks, which occurred in March 2026, mark a significant shift in tactics for Trigona affiliates. Trigona, which first appeared in late 2022, is operated as a Ransomware-as-a-Service (RaaS) by a cybercrime group Symantec calls Rhantus.

Apr 23
Bleeping Computer

Trigona ransomware attacks use custom exfiltration tool to steal data

Recently observed Trigona ransomware attacks are using a custom, command-line tool to steal data from compromised environments faster and more efficiently.

Apr 23
Symantec

Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft | SECURITY.COM

Recent attacks involving the Trigona ransomware used a custom-developed tool designed to provide attackers with granular control over the data theft process. The attacks, which occurred in March 2026, mark a significant shift in tactics for Trigona affiliates. Trigona, which first appeared in late 2022, is operated as a Ransomware-as-a-Service (RaaS) by a cybercrime group Symantec calls Rhantus.

Mar 24
Cyber Security News

Threat Actors Continuously Attacking MS-SQL Servers to Deploy ICE Cloud Scanner - Cyber Security News

In January 2024, the group first made its mark by deploying Trigona and Mimic ransomware on MS-SQL servers exposed to the internet with weak credentials.

Oct 30
Security Online Info

Trigona Ransomware Attacks MS-SQL Servers Using Rust Scanner and BCP Utility to Deploy Payloads

Trigona Ransomware Attacks MS-SQL Servers Using Rust Scanner and BCP Utility to Deploy Payloads

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.