Trigona (._locked) ransomware virus

A previously unnamed ransomware has rebranded under the name ‘Trigona,’ launching a new Tor negotiation site where they accept Monero as ransom payments.
The ransom note says that all documents, databases, backups, and other data have been encrypted and leaked.
It claims that decryption without contacting threat actors is impossible. All data will be sold to third parties if victims refuse to pay a ransom.

It also urges victims to contact the attackers as soon as possible to avoid paying a higher price for data decryption because it increases every hour. Before paying a ransom, victims can have three files decrypted for free.
The ransom note instructs victims to pay for data decryption via a Tor website.

Examples of unreliable sources used by cybercriminals to distribute malware are Peer-to-Peer networks, unofficial (deceptive) pages, third-party downloaders, free file hosting pages, etc. Users infect computers via malicious JavaScript files, Microsoft Office, PDF, or other documents, executables, ISO files, archive files (like ZIP and RAR), etc.

Threat Summary:
Name: Trigona virus
Threat Type: Ransomware, Crypto Virus, Files locker
Encrypted Files Extension: ._locked
Ransom Demanding Message: how_to_decrypt.hta
Free Decryptor Available? No
Cyber Criminal Contact: Chat on the provided Tor website
Detection Names: Avast (Win32:RansomX-gen [Ransom]), Combo Cleaner (Gen:Variant.Fragtor.168126), ESET-NOD32 (A Variant Of Win32/Filecoder.OLC), Kaspersky (HEUR:Trojan-Ransom.Win32.Generic), Microsoft (Trojan:Win32/Wacatac.B!ml), Full List Of Detections (VirusTotal)
Symptoms: Cannot open files stored on your computer, previously functional files now have a different extension (for example, my.docx.locked). A ransom demand message is displayed on your desktop. Cyber criminals demand payment of a ransom (usually in bitcoins) to unlock your files.
Additional Information: Cybercriminals demand to be paid in Monero cryptocurrency.
Distribution methods: Infected email attachments (macros), torrent websites, malicious ads.
Damage: All files are encrypted and cannot be opened without paying a ransom. Additional password-stealing trojans and malware infections can be installed together with a ransomware infection.

BleepingComputer analyzed a recent sample of Trigona and found it supports various command line arguments that determine whether local or network files are encrypted, if a Windows autorun key is added, and whether a test victim ID (VID) or campaign ID (CID) should be used.

The command line arguments are listed below:

/full
/!autorun
/test_cid
/test_vid
/path
/!local
/!lan
/autorun_only

A ransom note named how_to_decrypt.hta will be created in each scanned folder.
This note displays information about the attack, a link to the Tor negotiation site, and a link that copies an authorization key into the Windows clipboard needed to log in to the Tor negotiation site.

Sign Up For Threat Alerts

Loading...
Threats Icon

Feb 02, 2023

Ukraine CERT-UA: Compromised Email Address Used To...

An adversary was discovered using a compromised e-mail address to send phishing emails with a...

Threats Icon

Feb 01, 2023

Ukraine Government Sector Targeted With The DolphinCape...

The government sector of Ukraine was targeted with spear-phishing emails with a malicious attachment which...

Threats Icon

Feb 01, 2023

Ukraine Government Sector Targeted With The DolphinCape...

The government sector of Ukraine was targeted with spear-phishing emails with a malicious attachment which...

Threats Icon

Jan 31, 2023

Multiple Malware Variants Distributed Through Microsoft OneNote

Spear-phishing emails with malicious Microsoft OneNote attachments were discovered delivering variants from the AsyncRAT, Formbook¸...

Threats Icon

Jan 30, 2023

Playing Whack-a-Mole With New Dharma Ransomware Variants

The Dharma ransomware family was initially identified in 2016 and operates as a Ransomware-as-a-Service (RaaS)...

Threats Icon

Jan 29, 2023

APT15 Targets Multiple Sectors With Turian Backdoor

APT15, also known as Playful Taurus, is an advanced persistent threat (APT) that conducts a...

Threats Icon

Jan 26, 2023

Vice Society Ransomware Group Targets Manufacturing Companies

The Vice Society threat group was discovered targeting multiple sectors including manufacturing companies in Brazil....

Threats Icon

Jan 26, 2023

US Cert Alert – Alert (AA23-025A) Protecting...

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional...

Threats Icon

Jan 25, 2023

Emotet Malware Makes a Comeback with New...

The Emotet malware operation has continued to refine its tactics in an effort to fly...

Threats Icon

Jan 25, 2023

DragonSpark

The DragonSpark attacks represent the first concrete malicious activity where Analysts observe the consistent use...

Threats Icon

Jan 25, 2023

PLAY Ransomware

PLAY is simple but heavily obfuscated with a lot of unique tricks that have not...

Threats Icon

Jan 24, 2023

Gamaredon Abuses Telegram To Target Ukrainian Government...

The Gamaredon APT group was discovered targeting Ukrainian government entities using the Telegram messaging service...

Threats Icon

Jan 23, 2023

NeedleDropper: A New Dropper-as-a-Service Uncovered

Avast's Threat Research Team has since October 2022 been observing a new strain of dropper...

Threats Icon

Jan 22, 2023

Aurora Stealer Leverages Shapeshifting Tactics And Popular...

A threat actor was discovered mimicking legitimate websites to host and deliver the 9002 RAT,...

Threats Icon

Jan 19, 2023

Earth Bogle Campaign Targets Entities With Geopolitical...

Middle Eastern geopolitical themed lures were used to distribute njRAT across the Middle East and...