An Overview of the Different Versions of the Trigona Ransomware<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/f\/an-overview-of-the-trigona-ransomware.html\"><br \/>\n<meta property=\"og:title\" content=\"An Overview of the Different Versions of the Trigona Ransomware\"><br \/>\n<meta property=\"og:description\" content=\"The Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 \u2014 although samples of it existed as early as June 2022. Since then, Trigona\u2019s operators have remained highly active, and in fact have been continuously updating their ransomware binaries.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/trigona-976.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"An Overview of the Different Versions of the Trigona Ransomware\"><br \/>\n<meta name=\"twitter:description\" content=\"The Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 \u2014 although samples of it existed as early as June 2022. Since then, Trigona\u2019s operators have remained highly active, and in fact have been continuously updating their ransomware binaries.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/trigona-976.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.777211031382\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"469054637\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"11.797373358349\">\n<div class=\"article-details\" role=\"heading\" readability=\"43.25703564728\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Ransomware<\/p>\n<p class=\"article-details__description\">The Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 \u2014 although samples of it existed as early as June 2022. Since then, Trigona\u2019s operators have remained highly active, and in fact have been continuously updating their ransomware binaries.<\/p>\n<p class=\"article-details__author-by\">By: Arianne Dela Cruz, Paul Pajares, Ivan Nicole Chavez, Ieriz Nicolle Gonzalez, Nathaniel Morales <time class=\"article-details__date\">June 23, 2023<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"43.884420289855\">\n<div readability=\"34.721739130435\">\n<p>The Trigona ransomware is a relatively new<a href=\"https:\/\/www.trendmicro.com\/vinfo\/ph\/security\/definition\/Ransomware\"> ransomware<\/a> family that began activities around late October 2022 \u2014 although samples of it existed as early as June 2022. Since then, Trigona\u2019s operators have remained highly active, and in fact have been continuously updating their ransomware binaries. By April 2023, Trigona began targeting compromised MSSQL servers by stealing credentials via brute force methods. In May 2023, we found a Linux version of Trigona that shared similarities with its Windows counterpart.<\/p>\n<p>The threat actors behind Trigona are <a href=\"https:\/\/unit42.paloaltonetworks.com\/trigona-ransomware-update\/\">allegedly the same group<\/a> behind the <a href=\"https:\/\/www.trendmicro.com\/en_ph\/research\/23\/b\/ransomware-evolution-part-1.html\">CryLock<\/a> ransomware due to similarities in tools, tactics, and procedures (TTPs). It has also been linked to the ALPHV group (also known as <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-blackcat\/\">BlackCat<\/a>), though we believe that any similarities between Trigona and BlackCat ransomware are only circumstantial at best (one possibility is that ALPHV collaborated with the threat actors deploying Trigona but were not actually involved with its development and operation).<\/p>\n<p>Based on Trend Micro\u2122 Smart Protection Network\u2122 data, US and India were the countries with the highest number of Trigona ransomware detections, with Israel, Turkey, Brazil, and Italy also having a significant count.<\/p>\n<p>Meanwhile, attacks focused mainly on the technology and healthcare industries, which had the highest number of detections.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"a3bf77\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-1.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-1.png\" alt=\"Figure 1. Trigona ransomware detections based on country\"> <\/a><figcaption>Figure 1. Trigona ransomware detections based on country<\/figcaption><\/figure>\n<\/p><\/div>\n<div readability=\"5.8962134795908\">\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"dce7c1\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-3.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-2.png\" alt=\"Figure 1. Trigona ransomware detections based on industry\"> <\/a><figcaption>Figure 1. Trigona ransomware detections based on industry<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<p><span class=\"body-subhead-title\">Infection chain<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"3653ef\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-3.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-3.png\" alt=\"Figure 3. The Trigona ransomware infection chain (based on Palo Alto\u2019s analysis of Trigona)\"> <\/a><figcaption>Figure 3. The Trigona ransomware infection chain (based on Palo Alto\u2019s analysis of Trigona)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37.703788748565\">\n<div readability=\"23.564867967853\">\n<p>Trigona was found to be exploiting the ManageEngine vulnerability <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-40539\">CVE-2021-40539<\/a> for initial access based on a <a href=\"https:\/\/areteir.com\/static\/5055b091d5c24a9ed63a06d70f2da20e\/Trigona-Report_020224_web.pdf\">report from Arete<\/a>. In addition, the threat actors used previously compromised accounts by obtaining access from network access brokers.<\/p>\n<p>It uses a variety of tools for lateral movement, including Splashtop (a legitimate remote access tool), which is used to drop further additional tools on a compromised machine.<\/p>\n<p>Trigona drops a file called <i>turnoff.bat<\/i> (detected as Trojan.BAT.TASKILL.AE) to terminate AV-related services and processes. It also uses Network Scanner and Advanced Port Scanner to identify network connections.<\/p>\n<p>Based on <a href=\"https:\/\/asec.ahnlab.com\/en\/51343\/\">AhnLab\u2019s analysis<\/a>, Trigona\u2019s operators use CLR shell on attacks launched against MS-SQL servers. This tool is capable of multiple commands, including one that drops additional executables for privilege escalation (<i>nt.exe<\/i>).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"dcf11a\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-4.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-4.png\" alt=\"Figure 4. Infection chain for compromised SQL server (Based on AhnLab\u2019s analysis)\"> <\/a><figcaption>Figure 4. Infection chain for compromised SQL server (Based on AhnLab\u2019s analysis)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38.120221948212\">\n<div readability=\"21.782983970407\">\n<p>Trigona encrypts files in infected machines using AES encryption. Furthermore, the ransomware contains an encrypted configuration in its resource section which is decrypted upon execution. However, it will only use certain strings within its configuration. Trigona also randomizes the file names of encrypted files and appends the <i>._locked<\/i> extension upon encryption.<\/p>\n<p>Trigona\u2019s operators employ the credential dumper <a href=\"https:\/\/www.trendmicro.com\/vinfo\/ph\/security\/news\/cybercrime-and-digital-threats\/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021\">Mimikatz<\/a> to gather the passwords and credentials found on the machines of the victims.<\/p>\n<p>In May 2023, our threat hunting team found a Linux ransomware binary that had a sparse number of detections. Upon further verification, we confirmed these binaries to be a Linux version of Trigona. Like its 32-bit Windows counterpart, this binary accepts command-line arguments for execution.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"687483\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-5.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-5.png\" alt=\"Figure 5. Code snippet showing command-line arguments from the Linux version of Trigona\"> <\/a><figcaption>Figure 5. Code snippet showing command-line arguments from the Linux version of Trigona<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The ransom note dropped by the binary (<i>how_to_decrypt.txt<\/i>) contains only an email address of the threat actor behind the attack. This may indicate that the Linux version is still a work in progress.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"e405ef\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-6.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-6.png\" alt=\"Figure 6. Ransom note dropped by the Linux version of Trigona\"> <\/a><figcaption>Figure 6. Ransom note dropped by the Linux version of Trigona<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>In June 2023, we encountered a new version of Trigona ransomware, this time designed for Windows 64-bit platforms. This version implements additional command-line arguments that were not present with the Linux version and the original 32-bit version (such as<i> \/sleep<\/i> and <i>\/debug<\/i>). <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"178bb2\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-7.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-7.png\" alt=\"Figure 7. Snippet showing command-line arguments from the 64-bit Windows version of Trigona\"> <\/a><figcaption>Figure 7. Snippet showing command-line arguments from the 64-bit Windows version of Trigona<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>Table 1 summarizes the command-line arguments used by each of the different versions of Trigona:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\">\n<tbody readability=\"20\">\n<tr>\n<th scope=\"col\"><b>32-bit Windows<\/b><\/th>\n<th scope=\"col\"><b>64-bit Windows<\/b><\/th>\n<th scope=\"col\"><b>Linux<\/b><\/th>\n<th scope=\"col\"><b>Description<\/b><\/th>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"48\" width=\"63\">\/r<\/td>\n<td width=\"63\">\/r<\/td>\n<td width=\"63\"> <\/td>\n<td width=\"396\">Allows the encryption of files in a random order<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"48\" width=\"63\">\/full<\/td>\n<td width=\"63\">\/full<\/td>\n<td width=\"63\">\/full<\/td>\n<td width=\"396\">Encrypt the whole content of the target file (if not used, only the first 0x80000 bytes\/512kb are encrypted)<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"48\" width=\"63\">\/erase<\/td>\n<td width=\"63\">\/erase<\/td>\n<td width=\"63\">\/erase<\/td>\n<td width=\"396\">Deletes the content of the target files. (By default, only the first 512kb is erased unless the argument \/full is used)<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"48\" width=\"63\">\/!autorun<\/td>\n<td width=\"63\">\/!autorun<\/td>\n<td width=\"63\"> <\/td>\n<td width=\"396\">Does not create the autorun registry entry.<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"48\" width=\"63\">\/is_testing<\/td>\n<td width=\"63\">\/is_testing<\/td>\n<td width=\"63\">\/is_testing<\/td>\n<td width=\"396\">Used with \/test_cid and \/test_vid for testing purposes<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"48\" width=\"63\">\/test_cid<\/td>\n<td width=\"63\">\/test_cid<\/td>\n<td width=\"63\">\/test_cid<\/td>\n<td width=\"396\">Uses the specified Computer ID instead of generating one<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"48\" width=\"63\">\/test_vid<\/td>\n<td width=\"63\">\/test_vid<\/td>\n<td width=\"63\">\/test_vid<\/td>\n<td width=\"396\">Uses the specified Victim ID instead of the one in the configurations<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"48\" width=\"63\">\/p<\/td>\n<td width=\"63\">\/p<\/td>\n<td width=\"63\">\/p<\/td>\n<td width=\"396\">Specifies the path to encrypt<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"48\" width=\"63\">\/path<\/td>\n<td width=\"63\">\/path<\/td>\n<td width=\"63\">\/path<\/td>\n<td width=\"396\">Specifies the path to encrypt<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"48\" width=\"63\">\/!local<\/td>\n<td width=\"63\">\/!local<\/td>\n<td width=\"63\"> <\/td>\n<td width=\"396\">Avoids encrypting local files<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"48\" width=\"63\">\/!lan<\/td>\n<td width=\"63\">\/!lan<\/td>\n<td width=\"63\"> <\/td>\n<td width=\"396\">Avoids encrypting network shares<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"48\" width=\"63\">\/shdwn<\/td>\n<td width=\"63\">\/shdwn<\/td>\n<td width=\"63\">\/shutdown<\/td>\n<td width=\"396\">Forces shutdown of the machine after encryption<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td height=\"48\" width=\"63\">\/autorun_only<\/td>\n<td width=\"63\">\/autorun_only<\/td>\n<td width=\"63\"> <\/td>\n<td width=\"396\">Creates an autorun registry that will execute the ransomware upon logon. This will not perform the encryption yet.<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"48\" width=\"63\"> <\/td>\n<td width=\"63\">\/sleep<\/td>\n<td width=\"63\"> <\/td>\n<td width=\"396\">Sleeps for n seconds before execution<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td height=\"48\" width=\"63\"> <\/td>\n<td width=\"63\">\/debug<\/td>\n<td width=\"63\"> <\/td>\n<td width=\"396\">Executes in debug mode, need to be executed with \/p<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"48\" width=\"63\"> <\/td>\n<td width=\"63\">\/log_f<\/td>\n<td width=\"63\"> <\/td>\n<td width=\"396\">specifies the log file for logging<\/td>\n<\/tr>\n<tr>\n<td height=\"48\" width=\"63\"> <\/td>\n<td width=\"63\">\/fast<\/td>\n<td width=\"63\"> <\/td>\n<td width=\"396\"> <\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"48\" width=\"63\"> <\/td>\n<td width=\"63\">\/allow_system<\/td>\n<td width=\"63\"> <\/td>\n<td width=\"396\">Allows encryption of files in the system directory<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<p><h5>Table 1. Command-line arguments used by each Trigona version<\/h5>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>All versions of Trigona employ <b><i>TDCP_rijndael<\/i> <\/b>(AES) to encrypt the target files depending on the configurations set in its resource section. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"3d3d01\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-8.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-8.png\" alt=\"Figure 8. The Linux version of Trigona using AES for encryption\"> <\/a><figcaption>Figure 8. The Linux version of Trigona using AES for encryption<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Encrypted files are either renamed with encrypted strings or with an additional prepended string <i>available_for_trial<\/i>, then appended by the <i>._locked<\/i> extension. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"40e2aa\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-9.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-9.png\" alt=\"Figure 9. Files encrypted by Trigona\"> <\/a><figcaption>Figure 9. Files encrypted by Trigona<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"47.081695966908\">\n<div readability=\"40.215615305067\">\n<p>To pressure victims into paying the ransom, the Trigona leak site contains a countdown timer and bidding options for parties interested in acquiring access to the leaked data. The attackers provide each victim with an authorization key that they can use to register on the negotiation portal provided by Trigona.<\/p>\n<p>The Trigona ransomware group employs a double extortion scheme. In addition to the main leak site which displays the list of victim companies, Trigona\u2019s operators also use a Tor site where victims can communicate with the threat actor group to negotiate for the decryption tool. Interestingly, they also flag those victims that have already paid.<\/p>\n<p>The report from Palo Alto revealed t an IP address hosting the leak site under the name “Trigona Leaks” and using port 8000. Additionally, another IP address titled “Leaks” was uncovered, which also employed port 8000 and shared the same IP range as the previously mentioned leak site-connected IP address.<\/p>\n<p>During our investigation, we found another IP address on June 3 that was still active at the time of writing. This IP address, which uses port 3000 and the title <i>Blog<\/i>, is within the IP range of the previous addresses. We surmise that the threat actor relocates some of its infrastructure when their IP address is exposed. Using this third leak site, we were able to find their file storage site (aeey7hxzgl6zowiwhteo5xjbf6sb36tkbn5hptykgmbsjrbiygv4c4id[.]onion). This site hosts critical data stolen from victims such as documents, contracts, and other large amounts of data.<\/p>\n<p>The Trigona ransomware group has poor operational security when it comes to the implementation of Tor sites \u2014 although their aim of targeting poorly-managed SQL servers is not something we usually see with less technically-proficient threat actors. Our <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-targetcompany\">ransomware spotlight on TargetCompany<\/a> shows another group using a similar technique of targeting SQL servers.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"b3fd7f\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-10.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-10.png\" alt=\"Figure 10. Main leak site of Trigona\"> <\/a><figcaption>Figure 10. Main leak site of Trigona<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"0badf3\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-11.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-11.png\" alt=\"Figure 11. Trigona leak site found via Shodan on June 3, 2023\"> <\/a><figcaption>Figure 11. Trigona leak site found via Shodan on June 3, 2023<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"ed2052\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-12.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/f\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/trigona-12.png\" alt=\"Figure 12. The file storage Tor site of Trigona using the title \u201ctest\u201d\"> <\/a><figcaption>Figure 12. The file storage Tor site of Trigona using the title \u201ctest\u201d<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38.034677419355\">\n<div readability=\"23.109677419355\">\n<p>The Trigona ransomware currently maintains a relatively low profile when compared to more widespread families, allowing it to operate covertly. Nonetheless, due to its continuous evolution and increased activity, we anticipate that Trigona will gain prominence in the near future. Furthermore, it joins the <a href=\"https:\/\/www.trendmicro.com\/en_hk\/about\/newsroom\/press-releases\/2022\/09-01-2022.html\">growing list of ransomware groups that have developed a Linux version<\/a> to try and capitalize on the expanding high-value Linux market, adding evidence that Trigona\u2019s operators are trying to expand their reach as much as possible. Therefore, it is crucial for individuals and organizations to familiarize themselves with this ransomware to prevent potential harm.<\/p>\n<p>To safeguard systems against ransomware attacks, it is advisable for organizations to adopt effective measures. These include implementing data protection protocols and establishing backup and recovery procedures to ensure that data remains secure and can be restored in case of encryption or even deletion. Conducting routine vulnerability assessments and promptly patching systems can significantly reduce the impact of ransomware attacks that exploit vulnerabilities.<\/p>\n<p>We recommend the following security precautions:<\/p>\n<ol>\n<li>Enable multifactor authentication (MFA) to hinder attackers from moving laterally within a network and accessing sensitive information.<\/li>\n<li>Follow the 3-2-1 rule when creating backups for important files. This involves generating three backup copies stored in two different file formats, with one copy stored in a separate location. This ensures redundancy and minimizes the risk of data loss.<\/li>\n<li>Update and patch systems regularly. It is important to keep applications and operating systems up to date and establish robust patch management protocols to prevent malicious actors from exploiting software vulnerabilities.<\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\">\n<tbody readability=\"18\">\n<tr>\n<th scope=\"col\">SHA256<\/th>\n<th scope=\"col\">Detection name<\/th>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"21\" width=\"474\">f1e2a7f5fd6ee0c21928b1cae6e66724c4537052f8676feeaa18e84cf3c0c663<\/td>\n<td width=\"273\">Ransom.Linux.TRIGONA.THCBBBC <\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"41\" width=\"474\">951fad30e91adae94ded90c60b80d29654918f90e76b05491b014b8810269f74<\/td>\n<td width=\"273\">Ransom.Linux.TRIGONA.THEAFBC <\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"21\" width=\"474\">d0268d29e6d26d726adb848eff991754486880ebfd7afffb3bb2a9e91a1dbb7c<\/td>\n<td width=\"273\">Ransom.Win64.TRIGONA.YXDFIZ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"21\" width=\"474\">a891d24823796a4ffa2fac76d92fec2c7ffae1ac1c3665be0d4f85e13acd33f9<\/td>\n<td width=\"273\">Ransom.Win64.TRIGONA.THFOIBC<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"21\" width=\"474\">2b40a804a6fc99f6643f8320d2668ebd2544f34833701300e34960b048485357<\/td>\n<td width=\"273\">Ransom.Win64.TRIGONA.YXDFOZ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"21\" width=\"474\">8cbe32f31befe7c4169f25614afd1778006e4bda6c6091531bc7b4ff4bf62376<\/td>\n<td width=\"273\">Ransom.Win32.TRIGONA.YPDDZ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"21\" width=\"474\">fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b<\/td>\n<td width=\"273\">Ransom.Win32.TRIGONA.YMDBJ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"21\" width=\"474\">41c9080f9c90e00a431b2fb04b461584abe68576996379a97469a71be42fc6ff<\/td>\n<td width=\"273\">Ransom.Win64.TRIGONA.YXDFUZ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"21\" width=\"474\">c7a930f1ca5670978aa6d323d16c03a97d897c77f5cff68185c8393830a6083f<\/td>\n<td width=\"273\">Trojan.MSIL.TRIGONA.YCDCT<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/f\/an-overview-of-the-trigona-ransomware.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 \u2014 although samples of it existed as early as June 2022. Since then, Trigona\u2019s operators have remained highly active, and in fact have been continuously updating their ransomware binaries. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":52463,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9539,9509],"class_list":["post-52462","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-ransomware","tag-trend-micro-research-research"],"yoast_head":"\n<title>An Overview of the Different Versions of the Trigona Ransomware 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"An Overview of the Different Versions of the Trigona Ransomware 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-06-23T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/trigona-976.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/an-overview-of-the-different-versions-of-the-trigona-ransomware\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/an-overview-of-the-different-versions-of-the-trigona-ransomware\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"An Overview of the Different Versions of the Trigona Ransomware\",\"datePublished\":\"2023-06-23T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/an-overview-of-the-different-versions-of-the-trigona-ransomware\\\/\"},\"wordCount\":1769,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/an-overview-of-the-different-versions-of-the-trigona-ransomware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/06\\\/an-overview-of-the-different-versions-of-the-trigona-ransomware.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/an-overview-of-the-different-versions-of-the-trigona-ransomware\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/an-overview-of-the-different-versions-of-the-trigona-ransomware\\\/\",\"name\":\"An Overview of the Different Versions of the Trigona Ransomware 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/an-overview-of-the-different-versions-of-the-trigona-ransomware\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/an-overview-of-the-different-versions-of-the-trigona-ransomware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/06\\\/an-overview-of-the-different-versions-of-the-trigona-ransomware.png\",\"datePublished\":\"2023-06-23T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/an-overview-of-the-different-versions-of-the-trigona-ransomware\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/an-overview-of-the-different-versions-of-the-trigona-ransomware\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/an-overview-of-the-different-versions-of-the-trigona-ransomware\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/06\\\/an-overview-of-the-different-versions-of-the-trigona-ransomware.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/06\\\/an-overview-of-the-different-versions-of-the-trigona-ransomware.png\",\"width\":800,\"height\":560},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/an-overview-of-the-different-versions-of-the-trigona-ransomware\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"An Overview of the Different Versions of the Trigona Ransomware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"An Overview of the Different Versions of the Trigona Ransomware 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/","og_locale":"en_US","og_type":"article","og_title":"An Overview of the Different Versions of the Trigona Ransomware 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-06-23T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/trigona-976.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"An Overview of the Different Versions of the Trigona Ransomware","datePublished":"2023-06-23T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/"},"wordCount":1769,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/06\/an-overview-of-the-different-versions-of-the-trigona-ransomware.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Ransomware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/","url":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/","name":"An Overview of the Different Versions of the Trigona Ransomware 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/06\/an-overview-of-the-different-versions-of-the-trigona-ransomware.png","datePublished":"2023-06-23T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/06\/an-overview-of-the-different-versions-of-the-trigona-ransomware.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/06\/an-overview-of-the-different-versions-of-the-trigona-ransomware.png","width":800,"height":560},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"An Overview of the Different Versions of the Trigona Ransomware"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/52462","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=52462"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/52462\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/52463"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=52462"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=52462"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=52462"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":52462,"date":"2023-06-23T00:00:00","date_gmt":"2023-06-23T00:00:00","guid":{"rendered":"urn:uuid:d79fb4be-777b-7e9f-7b86-18955473481e"},"modified":"2023-06-23T00:00:00","modified_gmt":"2023-06-23T00:00:00","slug":"an-overview-of-the-different-versions-of-the-trigona-ransomware","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-different-versions-of-the-trigona-ransomware\/","title":{"rendered":"An Overview of the Different Versions of the Trigona Ransomware"},"content":{"rendered":"