Palo Alto Network warns about ransomware strain Trigona

Sicherheit (Pexels, allgemeine Nutzung)[German]Security researchers from Palo Alto Networks came across a new strain of ransomware at the end of 2022 that is currently still operating "under the radar" of many security researchers. However, at least 15 victims were attacked in December 2022. Here is some information about this new threat.


Security researchers from Unit 42 (Palo Alto Networks' research division) warn about the ransomware named Trigona in a recent announcement. On the one hand, Trigona is the name of a stingless bee that is found in South America. Security researchers from MalwareHunterTeam came across the malware in late October 2022 and first used this name in a subsequent tweet for a new ransomware group in late November 2022.

Trigona Ransomware

The colleagues from Bleeping Computer had taken up the issue in this blog post. At the time, the group had set up a new Tor page for victims to negotiate under that name. This was a novelty at the time, as initial infections in early 2022 still required communication via email and no specific name was used from that group.

Since that time, security researchers from Palo Alto Network Unit 42 have been tracking the activities of this group. According to theirs, Trigona was very active in December 2022, compromising at least 15 potential victims that month. The affected companies are from manufacturing, finance, construction, agriculture, marketing and high technology sectors, according to Unit 42. The researchers also identified two new Trigona extortion cases in January 2023 and two in February 2023..

An unusual tactic of Trigona is to use password-protected executables to disguise malware. Unit 42 security researchers observed how the ransomware operator first gains access to a target's environment to perform reconnaissance. Then, a remote access and management (RMM) tool called Splashtop comes into play. Its goal is to transfer the malware to the target environment. After that, new user accounts are created to complete the operation by deploying the ransomware.


Threat researchers at Unit 42 suspect that the original web-accessible "leak page" was a development environment used to test features of the ransomware before a possible move to the dark web. Several posts on the page appear to be duplicates of the BlackCat leak page. However, some of the countdown timers run significantly longer. However, the leak site is no longer available on the public Internet.

Interestingly, Unit 42 encountered examples of Trigona-related operations that originated from a compromised Windows 2003 server. A NetScan was then performed from this compromised server for internal network reconnaissance. Attackers often misuse, exploit or subvert legitimate products for malicious purposes. This does not necessarily mean that there is a flaw or malicious feature in the legitimate product that is being abused.

Trigona seems to be active under the radar at the moment. This lack of awareness in the security community allows it to attack victims unobtrusively while other ransomware operations with greater notoriety dominate the headlines. Palo Alto Networks hopes that education about Trigona and its unusual technique of using password-protected executables to obfuscate malware will help defenders better protect their environments from this threat.

Based on the numerous victims Unit 42 has identified and Trigona's currently evolving leak site, the operator and/or partners behind the ransomware are likely to continue – and possibly even increase – their criminal activity. Details on the Trigona ransomware or group can be found in Palo Alto's article Bee-Ware of Trigona, An Emerging Ransomware Strain.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *