Trigona ransomware gang ramps up attacks worldwide

BleepingComputer reports that organizations around the world are being increasingly attacked by a ransomware operation that has recently rebranded as Trigona. While Trigona ransomware samples have been observed early this year, the ransomware operation has only introduced itself with a new Tor negotiation site in late October, according to MalwareHunterTeam. Different command-line arguments for identifying encrypted local or network files, added Windows autorun keys, and usage of victim ID or campaign ID have been discovered in Trigona, which encrypts all device files apart from those in the Windows and Program Files folders. Files encrypted by Trigona will also have the ".locked" extension, noted BleepingComputer. Aside from the encrypted decryption key, Trigona has also been observed to embed victim and campaign IDs in files that have been encrypted. Meanwhile, logging into Trigona's Tor site would show victims details regarding Monero purchases for the ransom payment, as well as support chat for negotiation purposes. BleepingComputer has yet to identify Trigona's means of network breaches or ransomware deployment.