Attackers are breaking into Microsoft SQL (MS-SQL) servers to install Trigona ransomware payloads and encrypt all data. These servers are not well protected and are accessible to the Internet. By using account credentials that are simple to guess, brute-force or dictionary assaults are being used to access the MS-SQL servers.
The threat actors use malware known as CLR Shell after connecting to a server, according to security experts from South Korean cybersecurity firm AhnLab, who discovered the assaults. By taking advantage of a flaw in the Windows Secondary Logon Service (which will be required to launch the ransomware as a service), this malware is used to gather system data, change the settings of the compromised account, and elevate access to LocalSystem.
“CLR Shell is a type of CLR assembly malware that receives commands from threat actors and performs malicious behaviors, similarly to the WebShells of web servers,” AhnLab says.
The attackers then start the Trigona ransomware as svchost.exe by installing and running a dropper virus as the svcservice.exe service. In order to ensure that the PCs would remain encrypted even after a reboot, they additionally set the ransomware program to automatically activate on each system restart through a Windows autorun key.
The malware disables system recovery and deletes any Windows Volume Shadow copies before encrypting the system and delivering ransom notes, making a recovery impossible without the decryption key. The Trigona ransomware operation was first identified in October 2022 by MalwareHunterTeam and is well-known for exclusively taking ransom payments in the cryptocurrency Monero from victims all across the world.
On victims’ devices, Trigona encrypts all data with the exception of those found in a few particular directories, such as the Windows and Program Files directories. The group promises to steal private information before encrypting it and adding it to their dark web leak site. Additionally, every locked file has the victim ID (business name), the campaign ID, and the encrypted decryption key embedded in it. The ransomware also renames encrypted files by appending the ._locked extension to them.
Along with creating ransom notes with details on the attack, a link to the Trigona Tor negotiation website, and a link with the authorization key required to log into the negotiation site, it also produces files entitled “how_to_decrypt.hta” in each folder. Since the beginning of the year, the Trigona ransomware group has been responsible for a steady stream of assaults, submitting at least 190 samples to the ID Ransomware database.
