EXECUTIVE SUMMARY:
The Trigona ransomware operation is a double-extortion threat that combines data theft with file encryption to maximize pressure on victims. The threat actors first exfiltrate sensitive enterprise data before deploying ransomware to encrypt systems, threatening to leak stolen information if ransom demands are not met. Recent activity indicates a continued evolution of their tactics, including the use of custom-built tools to streamline and conceal data exfiltration operations, reducing reliance on publicly available utilities.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
The Trigona ransomware operation is a double-extortion threat that combines data theft with file encryption to maximize pressure on victims. The threat actors first exfiltrate sensitive enterprise data before deploying ransomware to encrypt systems, threatening to leak stolen information if ransom demands are not met. Recent activity indicates a continued evolution of their tactics, including the use of custom-built tools to streamline and conceal data exfiltration operations, reducing reliance on publicly available utilities.[emaillocker id="1283"]
the intrusion begins with unauthorized access to enterprise environments, followed by lateral movement and privilege escalation using commonly abused administrative utilities and credential theft techniques. Once inside, the threat actor stages data for exfiltration and deploys a dedicated custom command-line data theft utility, alongside tools such as Rclone or MegaSync, instead of relying solely on publicly available utilities. This exfiltration tool supports high-speed parallel transfers, selective file targeting, and connection rotation to reduce detection likelihood. After data theft, the ransomware component is executed to encrypt files across systems, while simultaneously deleting recovery options and disabling security mechanisms to prevent restoration. The combination of optimized exfiltration and encryption ensures both operational disruption and information leakage.
The adoption of a purpose-built exfiltration tool highlights the continued evolution of Trigona operational capabilities and its emphasis on stealthy, high-speed data theft. This shift reinforces the groups focus on double-extortion tactics, where stolen data and encrypted systems are used together to increase ransom pressure. Organizations are advised to strengthen monitoring of outbound network traffic, detect anomalous file transfer behavior, and implement robust endpoint and identity security controls to mitigate the risk of both data exfiltration and subsequent ransomware deployment.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | - |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Persistence | T1547.006 | Boot or Logon Autostart Execution | Kernel Modules and Extensions |
| T1136.001 | Create Account | Local Account | |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | - |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| T1027.013 | Obfuscated Files or Information | Encrypted/Encoded File | |
| Credential Access | T1003.001 | OS Credential Dumping | LSASS Memory |
| Discovery | T1082 | System Information Discovery | - |
| Lateral Movement | T1021.001 | Remote Services | Remote Desktop Protocol |
| Collection | T1119 | Automated Collection | - |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
| T1567.002 | Exfiltration Over Web Service | Exfiltration to Cloud Storage | |
| Impact | T1486 | Data Encrypted for Impact | - |
| T1490 | Inhibit System Recovery | - |
REFERENCES:
The following reports contain further technical details:
https://www.security.com/threat-intelligence/trigona-exfiltration-custom
[/emaillocker]