Credential Theft
- Mimikatz
Trigona is a ransomware family and ransomware-as-a-service (RaaS) operation first observed in 2022, with public branding appearing in late October 2022.
Profile source: Mallory opens in a new tabTrigona
Trigona is a ransomware family and ransomware-as-a-service (RaaS) operation first observed in 2022, with public branding appearing in late October 2022. It has both Windows and Linux variants with similar functionality and uses double-extortion tactics, combining file encryption with data theft and operation of a Tor-based negotiation and leak site. The operation has been linked by Symantec to a cybercrime group it tracks as Rhantus. Trigona typically seeks payment in Monero.
On Windows, Trigona encrypts files and appends the ._locked extension, drops ransom notes such as how_to_decrypt.hta or how_to_restore_files.hta, and can establish persistence via a Run registry key. Reported capabilities include encrypting local and network files, partial or full-file encryption, filename encryption, embedding victim/campaign metadata in encrypted files, deleting shadow copies and backups, disabling recovery options, evasion via registry changes, and destructive options such as file erasure and free-space wiping. Analysis of a Windows sample described it as a Delphi PE32 console application that decrypts embedded configuration data and supports numerous command-line options.
On Linux, Trigona samples observed in the wild as late as April 2025 support configurable encryption behavior and target paths, including /vmfs/ by default in one analyzed sample. Reported options include /chattr-i, /delete, /fast, /full, and /allow_system. The Linux variant can handle file immutability via chattr, kill tasks and services, execute configured commands, optionally self-delete, and disrupt VMware ESXi environments by enumerating and powering off virtual machines using vim-cmd before encryption.
Observed intrusion vectors and deployment methods include exploitation of publicly exposed RDP hosts using valid accounts, and attacks against internet-exposed MS-SQL servers with weak credentials using brute-force or dictionary attacks. In one DFIR case, attackers used exposed RDP access, BAT scripts, account creation, privilege escalation, discovery tooling, lateral movement over RDP/SMB, exfiltration with rclone to Mega.io, and then deployed Trigona. Separate reporting states Trigona was deployed on compromised MS-SQL servers and that attackers abused Microsoft BCP to deploy payloads; one report also notes use of a Rust-based scanner in MS-SQL-focused attacks.
Recent Trigona affiliate activity in March 2026 showed a shift from public exfiltration tools such as Rclone or MegaSync to a custom command-line exfiltration utility, uploader_client.exe. Reported features include connection to an attacker-controlled hardcoded server, five parallel connections per file by default, TCP connection rotation after 2,048 MB, selective file-type exclusion, and shared-key authentication. In observed cases, attackers targeted high-value documents such as invoices and PDFs on network drives. Associated tooling in these intrusions included HRSword, PCHunter, GMER, YDark, WKTools, DumpGuard, StpProcessMonitorByovd, PowerRun, AnyDesk, Mimikatz, and Nirsoft password recovery utilities, including use of vulnerable kernel drivers to disable security products.
Known indicators and artifacts directly mentioned in the content include the ._locked extension; ransom note filenames how_to_decrypt.hta and how_to_restore_files.hta; the custom exfiltration tool uploader_client.exe; exfiltration server 163.172.105.82:1080; SHA-256 hashes 396aa1f8f308010a3c76a53965d0eddd35e41176eacd1194745d9542239ca8dc (uploader_client.exe), 6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc (HRSword), 6688fb3039ad6df606d76a897ef1072cdc78b928335c6bfa691d99498caf5c4b (Mimikatz), b066ca2702853c2fcbf686897c18f6d315be7ae753007ac2c1d73c87b0a30de9 (PowerRun), f27eab3157451e31db71169e71f76d28325193218f9dc8f421136d4a20165feb (WKTools), and c08a752138a6f0b332dfec981f20ec414ad367b7384389e0c59466b8e10655ec (Linux Trigona sample from April 2025).
Trigona infrastructure was reportedly compromised and wiped by the Ukrainian Cyber Alliance in October 2023 after exploitation of CVE-2023-22515 on a Confluence server, with claims that source code, databases, backups, and possibly decryption keys were stolen. Despite that disruption, multiple sources in the content indicate Trigona continued operating or resurfaced afterward.
Ransomware.live
Ransomware.live
f78073b1b2de009645a0254507b87a377f7c78fb5d9fdee28996a3f12bd00fef68635ad9d12f683071611bfd34c1ec34b59a9174ff768633e2cf5dfb16e516a82c83e59eea3e6890d31adc7c518e3702c62620dc472f8e2835ad3abc6acd6e35c28b33f7365f9dc72cc291d13458f3342c31a750240788f924ef64a2fb4fdf3b5f3407dedd4b9bf1e57209cc2178b8dc21477e62d5ddebf6fcb1ecb8002d0c8cReported operators
Trigona ransomware was first observed in June 2022. It has Windows and Linux versions, which are similar in their functionality. On underground forums, threat actors announced the start of the affiliate program, meaning that Trigona operates as ransomware as a service.
Trigona ransomware now uses a custom command-line tool to steal data faster and evade detection, replacing tools like Rclone and MegaSync.
In January 2024, the group first made its mark by deploying Trigona and Mimic ransomware on MS-SQL servers exposed to the internet with weak credentials.
Exploited software
MITRE ATT&CK
Reporting
Trigona ransomware now uses a custom command-line tool to steal data faster and evade detection, replacing tools like Rclone and MegaSync.
Trigona ransomware affiliates are using a novel, custom tool for data exfiltration... Trigona is a ransomware-as-a-service (RaaS) group that first emerged in 2022 and uses double-extortion tactics.
Affiliates linked to the Trigona ransomware group have taken a more calculated approach by building their own custom data exfiltration tool... The Trigona ransomware first surfaced in late 2022 and operates under a Ransomware-as-a-Service (RaaS) model, managed by a cybercrime group known as Rhantus.
Recent attacks involving the Trigona ransomware used a custom-developed tool designed to provide attackers with granular control over the data theft process. The attacks, which occurred in March 2026, mark a significant shift in tactics for Trigona affiliates. Trigona, which first appeared in late 2022, is operated as a Ransomware-as-a-Service (RaaS) by a cybercrime group Symantec calls Rhantus.
Recently observed Trigona ransomware attacks are using a custom, command-line tool to steal data from compromised environments faster and more efficiently.
Recent attacks involving the Trigona ransomware used a custom-developed tool designed to provide attackers with granular control over the data theft process. The attacks, which occurred in March 2026, mark a significant shift in tactics for Trigona affiliates. Trigona, which first appeared in late 2022, is operated as a Ransomware-as-a-Service (RaaS) by a cybercrime group Symantec calls Rhantus.
In January 2024, the group first made its mark by deploying Trigona and Mimic ransomware on MS-SQL servers exposed to the internet with weak credentials.
Trigona Ransomware Attacks MS-SQL Servers Using Rust Scanner and BCP Utility to Deploy Payloads
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.