Trigona (._locked) ransomware virus

A previously unnamed ransomware has rebranded under the name ‘Trigona,’ launching a new Tor negotiation site where they accept Monero as ransom payments.
The ransom note says that all documents, databases, backups, and other data have been encrypted and leaked.
It claims that decryption without contacting threat actors is impossible. All data will be sold to third parties if victims refuse to pay a ransom.

It also urges victims to contact the attackers as soon as possible to avoid paying a higher price for data decryption because it increases every hour. Before paying a ransom, victims can have three files decrypted for free.
The ransom note instructs victims to pay for data decryption via a Tor website.

Examples of unreliable sources used by cybercriminals to distribute malware are Peer-to-Peer networks, unofficial (deceptive) pages, third-party downloaders, free file hosting pages, etc. Users infect computers via malicious JavaScript files, Microsoft Office, PDF, or other documents, executables, ISO files, archive files (like ZIP and RAR), etc.

Threat Summary:
Name: Trigona virus
Threat Type: Ransomware, Crypto Virus, Files locker
Encrypted Files Extension: ._locked
Ransom Demanding Message: how_to_decrypt.hta
Free Decryptor Available? No
Cyber Criminal Contact: Chat on the provided Tor website
Detection Names: Avast (Win32:RansomX-gen [Ransom]), Combo Cleaner (Gen:Variant.Fragtor.168126), ESET-NOD32 (A Variant Of Win32/Filecoder.OLC), Kaspersky (HEUR:Trojan-Ransom.Win32.Generic), Microsoft (Trojan:Win32/Wacatac.B!ml), Full List Of Detections (VirusTotal)
Symptoms: Cannot open files stored on your computer, previously functional files now have a different extension (for example, my.docx.locked). A ransom demand message is displayed on your desktop. Cyber criminals demand payment of a ransom (usually in bitcoins) to unlock your files.
Additional Information: Cybercriminals demand to be paid in Monero cryptocurrency.
Distribution methods: Infected email attachments (macros), torrent websites, malicious ads.
Damage: All files are encrypted and cannot be opened without paying a ransom. Additional password-stealing trojans and malware infections can be installed together with a ransomware infection.

BleepingComputer analyzed a recent sample of Trigona and found it supports various command line arguments that determine whether local or network files are encrypted, if a Windows autorun key is added, and whether a test victim ID (VID) or campaign ID (CID) should be used.

The command line arguments are listed below:

/full
/!autorun
/test_cid
/test_vid
/path
/!local
/!lan
/autorun_only

A ransom note named how_to_decrypt.hta will be created in each scanned folder.
This note displays information about the attack, a link to the Tor negotiation site, and a link that copies an authorization key into the Windows clipboard needed to log in to the Tor negotiation site.