Cybersecurity experts at Trend Micro have recently discovered a new variant of the Trigona ransomware that has been actively spreading since June 2022. Like most ransomware programs, Trigona uses a double extortion method where it first unloads files from infected computers and then encrypts them, threatening to publish stolen data on the internet if victims refuse to pay a cash ransom.
The Trigona program is written in Delphi programming and uses 112-bit RSA and 256-bit AES to encrypt files in OFB mode. Once the program encrypts the files, it adds the extension “.Locked” to them and leaves a “How_to_Decrypt.hta” file behind, containing instructions for data restoration and the attackers’ contact information. Victims are given the option to decrypt up to three files for free to serve as evidence that they can recover their data.
Typically, victims are required to download and install a browser to pay the ransom. This allows the attackers to set up an anonymous network connection that is protected from eavesdropping. This system is considered an anonymous network for transmitting data in an encrypted form. Trigona is predominantly written in programming languages such as C, C++, and Python.
This latest discovery by Trend Micro highlights the continuously evolving nature of cyber threats and emphasizes the importance of staying vigilant and adopting best practices to safeguard against them. Users are advised to maintain good cybersecurity habits, such as keeping software updated, avoiding suspicious links and attachments, and regularly backing up important data to prevent falling victim to a ransomware attack.