Attackers are breaking into poorly protected and web-accessible Microsoft SQL (MS-SQL) servers and deploying the Trigona ransomware payload to encrypt all files. Brute force is used to hack servers with easily guessed credentials, making them vulnerable to Trigona attacks.
Experts from South Korean company AhnLab report that the attackers use the CLR Shell malware to collect system information, change the configuration of a compromised account, and elevate privileges to the LocalSystem level by exploiting a vulnerability in the Windows Secondary Logon Service.
At the next stage, the hackers install and run the dropper under the guise of svcservice.exe, which is used to launch the Trigona ransomware itself (under the guise of svchost.exe). The ransomware binaries are configured to automatically run on every system reboot to ensure encryption even after a reboot.
Before starting encryption and leaving ransom notes, the malware disables system restore and deletes all shadow copies to make sure recovery is not possible without the decryption key.
Trigona ransomware was discovered in October 2022 and its description was published by MalwareHunterTeam analysts and journalists from Bleeping Computer. Payments are only accepted in Monero cryptocurrency, and Trigona encrypts all files on victims’ devices, except for files in certain folders (including Windows and Program Files). The attackers also claim to steal confidential documents before encryption, which will be published on their “leak site” on the dark web.
According to ID Ransomware, Trigona has generated 190 attacks since the beginning of the year.
