- Microsoft IIS Servers Targeted by Lazarus - August 18, 2023
- AI-Powered Hacker Threats - August 18, 2023
- Attacks Against Ukraine and Poland Continue to Use the PicassoLoader Malware - August 18, 2023
The hackers gain access through brute-force or dictionary attacks. They take advantage over servers that are either exposed to the internet or have poor security measures.
The Trigona ransomware group, active since October 2022, targets Microsoft SQL servers with CLR Shell malware and exploits a Windows vulnerability (CVE-2016-0099) to launch ransomware.
The attackers use a dropper malware (svcservice[.]exe) to run the ransomware (svchost[.]exe) and ensure persistence by configuring an autorun key. They demand Monero payments and have made decryption difficult.
The Technical Aspects of the Attacks
Trigona ransomware attackers are notorious for using aggressive tactics to extort victims. In addition to encrypting files, the attackers threaten to expose any sensitive documents they may have stolen from the victim’s system, indicating their primary motive is financial gain and exploiting vulnerabilities in the target’s security.
After successful encryption, the attackers append the ._locked extension to the original file name and add the victim ID, campaign ID, and locked decryption key to each file to remind the victim of their control over the system and the need to pay the ransom to regain access.
The attackers establish a ransom note named how_to_decrypt[.]hta in every folder containing the encrypted files, providing attack details, links to a Tor negotiation website, and an authorization key for the negotiation site. Here, attackers and victims can dictate the rules of the ransom payment terms, including the amount and payment method.
How to Prevent
Security experts suggest that administrators take steps to protect against Trigona ransomware attacks, which use brute-force methods to gain access to victim systems. This includes selecting strong passwords that are difficult to guess and changing them on a regular basis to prevent unauthorized access.
Additionally, security measures such as firewalls should be deployed for database servers that are exposed to the internet, in order to limit access by external entities. This can help prevent hackers from breaching the sensitive information and compromising the security of the network.
In summary, to defend against Trigona ransomware attacks, administrators should use strong passwords and change them frequently, and employ security software such as firewalls to restrict access to databases from external sources. These steps can help get rid of the unwanted entry and safeguard the integrity of the network.