The Trigona Ransomware Attack on Cyberport

The Trigona ransomware gang has attacked Cyberport. Cyberport is a technology and digital entertainment-focused business park and innovation hub located in Hong Kong. Established in 1999, it was created by the Hong Kong government with the aim of fostering the growth of the information and communications technology (ICT) industry in the region. Cyberport is situated on the southwestern side of Hong Kong Island, near the Pok Fu Lam area.

Cyberport confirmed the attack on September 7th, with Trigona demanding $300,000 for the safe return of over 400GB of data.

Understanding Trigona's Approach

Trigona is not a traditional RaaS. The ransomware gang emerged around June of 2022 and operators have been observed scanning for internet-exposed Microsoft SQL servers to exploit via brute-force or dictionary attacks, and they also maintain a Linux version. The attackers will drop malware researchers dubbed CLR Shell to collect system information, to make configuration changes, and to escalate privileges by way of a vulnerability in the Windows Secondary Logon Service.

There are multiple Trigona versions detected in the wild targeting both Windows and Linux systems. Trigona TTPs have some overlap with BlackCat/ALPHV but are considered much less technically savvy. They employ a 4,112-bit RSA and 256-bit AES encryption in OFB mode which is buggy and complicated to decrypt, but they do have a reputation for reliably providing the decryption sequence to victims who pay the ransom demand.

Exploitation of Legitimate Programs

Trigona abuses legitimate programs including AteraAgent, Splash Top, ScreenConnect, AnyDesk, LogMeIn, and TeamViewer.