Heimdal
article featured image

Contents:

Attackers are breaking into Microsoft SQL (MS-SQL) servers to install Trigona ransomware payloads and encrypt all files. These servers are not well protected and are exposed to the Internet. By using account credentials that are simple to guess, brute-force or dictionary attacks are being used to access the MS-SQL servers.

After successfully connecting to a server, the threat actors deploy the malware called CLR Shell by security researchers from South Korean firm AhnLab, who spotted the attacks.

How Does the Malware Work?

The malware is used for harvesting system information by altering the compromised accounts’ configuration and escalating privileges to LocalSystem by exploiting a vulnerability in the Windows Secondary Logon Service (required to launch the ransomware-as-a-service)

According to AhnLab,

CLR Shell is a type of CLR assembly malware that receives commands from threat actors and performs malicious behaviors, similarly to the WebShells of web servers.

After the completion of the first stage, the attackers install and launch a dropper malware as the svcservice.exe service, used to launch the Trigona ransomware as svchost.exe.

In order to assure that the PCs would remain encrypted even after a reboot, they additionally configure the ransomware program to automatically activate on each system restart through a Windows autorun key. The malware disables system recovery and deletes any Windows Volume Shadow copies before encrypting the system and delivering ransom notes, making recovery impossible without the decryption key.

trigona ransomware note

Trigona Ransomware Note (Source: BleepingComputer)

What Is Trigona Ransomware?

According to BleepingComputer, The Trigona ransomware was first spotted in October 2022 and is known for only accepting ransom payments in the Monero cryptocurrency. The gang has made victims worldwide in the few months it has been spotted being active.

Trigona encrypts all files on the victims’ devices they breach, except for those in specific folders, including the Windows and Program Files directories. The gang also claims to steal sensitive documents that will get added to its dark web leak site before encryption.

Additionally, every locked file has the victim ID (business name), the campaign ID, and the encrypted decryption key embedded in it. The ransomware also renames encrypted files by appending the ._locked extension to them.

Along with creating ransom notes with details on the attack, a link to the Trigona Tor negotiation website, and a link with the authorization key required to log into the negotiation site, it also creates files named “how_to_decrypt.hta” in each folder.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE