On Oct. 17, a triumphant message abruptly appeared on the official darkish net leak web page of the Trigona ransomware group. Later copied to X (previously Twitter) by a gaggle calling itself the Ukrainian Cyber Alliance, it learn as follows:
“Trigona is gone! The servers of the Trigona ransomware gang has been exfiltrated and worn out.”
And simply to rub within the disruption:
“Welcome to the world you created for others.”
Hacktivists in Motion
For the Ukrainian Cyber Alliance—a gaggle that claims to have devoted itself to “disrupting Russian prison enterprises since 2014”—disrupting the Trigona ransomware was all in a great day’s work.
In case anybody doubted the Ukrainian group’s claims, a person referred to as herm1t printed a screenshot from what gave the impression to be Trigona’s collaboration channel on the Confluence platform. Satirically, entry to that was reportedly gained by exploiting a vulnerability, CVE-2023-22515, the kind of challenge that usually aids ransomware.
Extra screenshots on Telegram channel RUH8 from September despatched deeper nonetheless, suggesting that infrastructure comparable to backups had additionally been compromised. One report suggests the hacktivists even compromised the group’s Bitcoin wallets and supply code.
In all probability, this implies the Trigona ransomware is now unable to function and can discover it inconceivable to reconstitute its operation for future assaults. It’s additionally attainable that the Ukrainian hacktivists will ultimately get well decryption keys, doubtlessly making it attainable to unlock the info of at the least some victims.
Succumbing to Hacktivists
Regardless of having attacked a variety of organizations within the healthcare and know-how sectors since its look in early 2022, Trigona isn’t all that well-known. This isn’t stunning—only a few ransomware teams stick round lengthy sufficient to change into family names.
Trigona is simply one other ransomware actor that emerged from someplace (most certainly the CryLock ransomware, which itself presumably emerged from one thing referred to as Cryald way back to 2014) and has now, hopefully, disappeared for good.
However whether it is actually gone for good, what’s going to mark Trigona out as a reference level for a while to return is the way of its demise by the hands of hacktivists.
For a ransomware group to succumb to hacktivists continues to be a vanishingly uncommon occasion in comparison with, say, police motion such because the notable takedown of the prodigious Hive group in early 2023.
There was the occasional indication of this sort of occasion, one of the best identified of which was the 2022 leaking of hundreds of the Conti group’s inside messages by a Ukrainian researcher angered at Russia’s invasion of the nation.
Sadly, neither strategy appears to be making a lot of an inroad into the broader exercise of ransomware teams, which appear to sprout up extra rapidly than they may ever realistically be stopped. In accordance with Chainalysis, which displays the illicit crypto channels teams use to extract ransoms, funds to criminals had been at the least $449.1 million within the first half of 2023 alone.
However, the obvious success of the hacktivist group Ukrainian Cyber Alliance means that its MO holds some potential. Though they’ll’t endorse actions which may breach strict legality, the authorities appear to sense this, which is why they’ve began providing giant bounties for data regarding teams and their members.
Whereas the geo-politics of Ukraine gained’t encourage each hacktivist-in-the-making, maybe cash may change into a extra tempting incentive.
