2 min

The malware exploits a Windows vulnerability to “perform malicious behaviours”.

Hackers are distributing Trigona ransomware via internet-exposed Microsoft SQL (MS-SQL) servers, according to a report in BleepingComputer. The externally accessible or poorly protected servers are being breached via brute-force or dictionary attacks that take advantage of easy-to-guess account credentials, the report says.

Once they have breached the server, the malefactors collect system information and gain additional system control. They deploy malware dubbed CLR Shell by security researchers from AhnLab, a South Korean cybersecurity firm that first spotted the attacks.

Specifically, Trigona uses the CLR Shell malware to harvest specific system information. They also alter the compromised account’s configuration while escalating privileges to LocalSystem by exploiting a vulnerability in the Windows Secondary Logon Service. This service will be required to launch the ransomware as a service (RaaS) attack.

Recovery is “impossible”

“CLR Shell is a type of CLR assembly malware that receives commands from threat actors and performs malicious behaviors, similarly to the WebShells of web servers,” according to AhnLab.

In the next stage, the attackers install and launch a dropper malware as the svcservice.exe service. They then go on to use to launch the Trigona ransomware as svchost.exe.

They also configure the ransomware binary to automatically launch on each system restart via a Windows autorun key to ensure encryption of the systems. This happens even after a reboot. Before encrypting the system and deploying ransom notes, the malware disables system recovery and deletes any Windows Volume Shadow copies.

This makes recovery impossible without the decryption key.

Ransom is accepted only in crypto

The Trigona ransomware operation was first spotted by MalwareHunterTeam in October 2022. The gang is known for only accepting ransom payments in Monero cryptocurrency from victims worldwide.

Trigona encrypts all files on a victim’s device except those in specific folders,BleepingComputer reports. These of course include the Windows and Program Files directories. They also claim to steal sensitive documents before encryption. The gang then adds those documents to its leak site on the dark web.

The Trigona ransomware gang has been behind a constant stream of attacks, with at least 190 submissions to the ID Ransomware platform since the start of the year, according to BleepingComputer.