• Wed. Oct 11th, 2023

Trigona Ransomware Exploits Poorly Configured Microsoft SQL Servers

Avatar photo

ByEsme Greene

May 17, 2023
Trigona Ransomware Targets Weakly Configured Microsoft SQL Servers
Esme Greene
Latest posts by Esme Greene (see all)

The hackers gain access through brute-force or dictionary attacks. They take advantage over servers that are either exposed to the internet or have poor security measures.

The Trigona ransomware group, active since October 2022, targets Microsoft SQL servers with CLR Shell malware and exploits a Windows vulnerability (CVE-2016-0099) to launch ransomware.

The attackers use a dropper malware (svcservice[.]exe) to run the ransomware (svchost[.]exe) and ensure persistence by configuring an autorun key. They demand Monero payments and have made decryption difficult.

The Technical Aspects of the Attacks

Trigona ransomware attackers are notorious for using aggressive tactics to extort victims. In addition to encrypting files, the attackers threaten to expose any sensitive documents they may have stolen from the victim’s system, indicating their primary motive is financial gain and exploiting vulnerabilities in the target’s security.

After successful encryption, the attackers append the ._locked extension to the original file name and add the victim ID, campaign ID, and locked decryption key to each file to remind the victim of their control over the system and the need to pay the ransom to regain access.

The attackers establish a ransom note named how_to_decrypt[.]hta in every folder containing the encrypted files, providing attack details, links to a Tor negotiation website, and an authorization key for the negotiation site. Here, attackers and victims can dictate the rules of the ransom payment terms, including the amount and payment method.

How to Prevent

Security experts suggest that administrators take steps to protect against Trigona ransomware attacks, which use brute-force methods to gain access to victim systems. This includes selecting strong passwords that are difficult to guess and changing them on a regular basis to prevent unauthorized access.

Additionally, security measures such as firewalls should be deployed for database servers that are exposed to the internet, in order to limit access by external entities. This can help prevent hackers from breaching the sensitive information and compromising the security of the network.

In summary, to defend against Trigona ransomware attacks, administrators should use strong passwords and change them frequently, and employ security software such as firewalls to restrict access to databases from external sources. These steps can help get rid of the unwanted entry and safeguard the integrity of the network.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.