The Trigona Ransomware Gang Attacks Leidos

Leidos Holdings, Inc. is an American defense, aviation, information technology, and biomedical research company. It is a Fortune 500 company and one of the largest government contractors in the United States. Leidos provides a wide range of services and solutions primarily to government agencies, including the Department of Defense, intelligence communities, civil agencies, and various other organizations.

Trigona posted Leidos to its data leak site on September 5th, demanding a $300,000 ransom. Trigona is not a traditional RaaS. The ransomware gang emerged around June of 2022 and operators have been observed scanning for internet-exposed Microsoft SQL servers to exploit via brute-force or dictionary attacks, and they also maintain a Linux version.

Attack Methodology

The attackers will drop malware researchers dubbed CLR Shell to collect system information, to make configuration changes, and to escalate privileges by way of a vulnerability in the Windows Secondary Logon Service. There are multiple Trigona versions detected in the wild targeting both Windows and Linux systems.

Trigona TTPs have some overlap with BlackCat/ALPHV but are considered much less technically savvy. They employ a 4,112-bit RSA and 256-bit AES encryption in OFB mode which is buggy and complicated to decrypt, but they do have a reputation for reliably providing the decryption sequence to victims who pay the ransom demand.

Abused Legitimate Programs

Trigona abuses legitimate programs including AteraAgent, Splash Top, ScreenConnect, AnyDesk, LogMeIn, and TeamViewer.