Trigona hackers get hacked, ransom site taken down
Take action: Yes, hackers crime groups are just as bad as the rest of us at patching their critically vulnerable servers. Don't be like them, patch your systems. Or be listed on a crime group ransom site.
Learn More
Trigona ransomware has had its servers compromised by the Ukrainian Cyber Alliance (UCA), leading to the exfiltration and wiping of data. Trigona has demonstrated a willingness to utilize compromised business emails obtained during previous attacks. Research suggests that Trigona may have ties to CryLock ransomware and possibly the ALPHV/BlackCat gang.
On October 17, 2023, UCA revealed that it had seized and disabled Trigona ransomware's servers, providing evidence of their actions on the Darknet leak site. The Ukrainian Cyber Alliance is a hacktivist group that has been active since 2014, targeting Russian cybercrime gangs. Notably, UCA gained access to Trigona's Confluence account earlier in October, providing them with a significant advantage. The Confluence exploit is probably executed through the current severe vulnerabilit of Atlassian Confluence.
Apart from hacking and defacing the Darknet site, Ukrainian hackers also wiped out Trigona's backups, making it challenging for the ransomware group to recover quickly. The stolen session data and the toolkit used by cybercriminals were also exfiltrated, hinting that a decryptor for Trigona ransomware victims might become available.
While Trigona hacker group may eventually recover, this incident poses significant challenges to the group's operations. Crypto wallets used for funding are exposed, and the motivation to rebuild infrastructure without financial gain is uncertain. This development follows a trend of hacker groups having their network infrastructure disrupted, with UCA's actions being particularly effective compared to traditional law enforcement efforts.
