The Trigona Ransomware Attack on Flamingo Holland

The Trigona ransomware gang has attacked Flamingo Holland. Flamingo Holland is a prominent company specializing in the production and distribution of flower bulbs and perennial plants, particularly Dutch flower bulbs. Founded in 1991, Flamingo Holland is based in Vista, California, USA, and has earned a reputation for its high-quality bulbs and plants, as well as its commitment to horticultural excellence. Trigona posted Flamingo Holland to its data leak site on September 5th but provided no further details.

Understanding Trigona's Methodology

Trigona is not a traditional RaaS. The ransomware gang emerged around June of 2022 and operators have been observed scanning for internet-exposed Microsoft SQL servers to exploit via brute-force or dictionary attacks, and they also maintain a Linux version. The attackers will drop malware researchers dubbed CLR Shell to collect system information, to make configuration changes, and to escalate privileges by way of a vulnerability in the Windows Secondary Logon Service. There are multiple Trigona versions detected in the wild targeting both Windows and Linux systems.

Technical Details and Victim Response

Trigona TTPs have some overlap with BlackCat/ALPHV but are considered much less technically savvy. They employ a 4,112-bit RSA and 256-bit AES encryption in OFB mode which is buggy and complicated to decrypt, but they do have a reputation for reliably providing the decryption sequence to victims who pay the ransom demand. Trigona abuses legitimate programs including AteraAgent, Splash Top, ScreenConnect, AnyDesk, LogMeIn, and TeamViewer.