Trigona attacks ATMCo
The Trigona Ransomware Attack on ATMCo
The Trigona ransomware group has attacked ATMCo, and released a sample of purloined data, including financial data, invoices, customer data, tax documents, and more. A ransom of $150,000 has been demanded, with a deadline of 21 March. ATMCo is an ATM-as-a-Service businesses, including the self-service banking, payments, networking, telecommunications, and technology. It is a cash-generative business positioned to focus on delivering ATM-as-a-Service to a large, installed customer base across banks and retailers.
Background of the Trigona Ransomware Group
The Trigona ransomware group, first tracked by Trend Micro as Water Ungaw, reared its head in October of 2022, although binaries of the ransomware were first seen as early as June of the same year. It ran a lucrative scheme, launching attacks around the world, and advertising revenues up to 20% to 50% for each successful attack. The group was also reported as communicating with network access brokers who provide compromised credentials via the Russian Anonymous Marketplace (RAMP) forum’s internal chats and using the sourced information to obtain initial access to targets. Bad actors behind the group are understood to be affiliated with CryLock as they use similar tactics, techniques, and procedures (TTPs), ransom note file names, as well as email addresses.
Recent Developments and Tactics
In April 2023, Trigona began targeting compromised Microsoft SQL (MSSQL) Servers through brute-force attacks. A month later, researchers found a Linux version of Trigona that shared similarities with its Windows counterpart. The Trigona ransomware is also linked to BlackCat (also known as AlphaVM, AlphaV, or ALPHV); although at present, there are no known similarities between the two groups. It is possible that BlackCat only used or collaborated with the threat actors deploying Trigona. A report by Arete confirmed that Trigona had been seen exploiting CVE-2021=40539 for initial access.
Once it takes hold of a target’s system and data, malefactors behind Trigona provide an authorization key for victims to register to the negotiation portal. Trigona published critical data stolen from victims, including documents and contracts on its leak site. The website had bidding options to acquire access to the leaked data and contained a countdown timer, which could have been used to place additional pressure on victims to pony up.
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!