Cyber Threat Actor: Trigona
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
5 incidents |
|---|
Profile
Trigona, also known as the Trigona ransomware group, is a threat actor that has been publicly identified since mid‑2022 and is reported to operate from Russia. The group has targeted a range of sectors including technology parks, engineering firms, medical imaging providers, educational institutions, and municipal governments across regions such as Hong Kong, Italy, and the United States (California, Tennessee, Florida). Their activities are primarily driven by financial gain, as they demand ransom payments, offer stolen data for sale, and engage in double‑extortion schemes that combine file encryption with threats to leak exfiltrated information.
Initial access often involves brute‑force or dictionary attacks against exposed MS‑SQL servers, after which the attackers deploy the CLR Shell malware to establish a foothold. Once inside, Trigona maintains persistence through multiple remote‑access tools such as AnyDesk, VNC, proxy services, and TeamViewer, even after RDP sessions are terminated. The group’s tooling includes the use of ChaCha20 and Elliptic Curve Cryptography (ECC) for file encryption, and they frequently exfiltrate large volumes of data—ranging from 120 GB to over 400 GB—before deciding whether to encrypt files or simply threaten to release the stolen information. Their extortion model varies: in some cases they provide a decryptor upon payment, while in others they sell the data directly or, as seen with the Franklin, Tennessee incident, share detailed remediation advice after negotiations fail.
Publicly available sources describe Trigona as a closed group that does not participate in underground forums and has declined to comment on any alleged links to other ransomware syndicates such as AlphV. No state sponsorship or formal criminal‑consortium affiliation has been established in the reporting, and the group’s own statements emphasize that they select targets based on perceived interests and security considerations rather than a blanket geographic or sector ban.
Representative operations include a six‑month‑long intrusion into Unique Imaging’s network where the group accessed the Radiology Information System and exfiltrated protected health information; a March 2023 breach of the City of Franklin that resulted in the theft of 428 GB of municipal data, including law‑enforcement credentials, and concluded with the actors providing the victim with network‑hardening guidance; a May 2023 attack on the Italian engineering firm Lolaico Impianti in which the stolen corporate data was offered for sale at $100,000; an April 2023 ransomware event at Pacific Union College that led to the alleged exfiltration of 120 GB of personal data from students, faculty, donors and parents; and an August 2023 incident at Hong Kong’s Cyberport technology park where hundreds of gigabytes of employee, HR and financial data were leaked on the dark web.
