A group of pro-Ukraine hacktivists known as Ukrainian Cyber Alliance has reportedly commandeered a data leak site of the Trigona ransomware, exfiltrated data and wiped the servers.
"Trigona is gone. The servers of the Trigona ransomware have been exfiltrated and wiped. Welcome to the world you created for others," reads the message on the defaced Trigona website.
Trigona is a relatively new ransomware operation first spotted in 2022. By April 2023, Trigona began targeting compromised MSSQL servers by stealing credentials via brute force techniques.
The threat actors behind Trigona are thought to be the same group behind the CryLock ransomware due to similarities in tools, tactics, and procedures (TTPs). The gang has also been linked to the ALPHV group (also known as BlackCat), though researchers believe that any similarities between Trigona and BlackCat ransomware are only circumstantial at best. The two groups may have been collaborating at one point but the ALPHV group was not involved with Trigona’s development and operation.
Trigona is written in the Delphi programming language. The operation uses double extortion tactics combining data exfiltration with file encryption. The ransomware has been regularly updated with new capabilities including a new data wiper feature.