Trigona attacks Topa Electrical

Incident Date: Mar 17, 2024

Attack Overview

VICTIM

Topa Electrical

INDUSTRY

Construction

LOCATION

New Zealand

ATTACKER

Trigona

FIRST REPORTED

March 17, 2024

Request Removal

Trigona Ransomware Attack on Topa Electrical

Trigona has attacked Topa Electrical and stolen an unknown amount of data. It is asking for a $150,000 ransom. Topa is a Canterbury-based electrical firm. For over 10 years it has been exceeding its clients' expectations in all aspects of commercial, residential, and industrial electrical services. It provides written quotes, stays within budget, and completes projects on time.

The Emergence of Trigona Ransomware

The Trigona ransomware group, first tracked by Trend Micro as Water Ungaw, reared its head in October of 2022, although binaries of the ransomware were first seen as early as June of the same year. It ran a lucrative scheme, launching attacks around the world, and advertising revenues up to 20% to 50% for each successful attack. The group was also reported as communicating with network access brokers who provide compromised credentials via the Russian Anonymous Marketplace (RAMP) forum’s internal chats and using the sourced information to obtain initial access to targets.

Bad actors behind the group are understood to be affiliated with CryLock as they use similar tactics, techniques, and procedures (TTPs), ransom note file names, as well as email addresses. In April 2023, Trigona began targeting compromised Microsoft SQL (MSSQL) Servers through brute-force attacks. A month later, researchers found a Linux version of Trigona that shared similarities with its Windows counterpart.

Links to Other Ransomware Groups

The Trigona ransomware is also linked to BlackCat (also known as AlphaVM, AlphaV, or ALPHV); although at present, there are no known similarities between the two groups. It is possible that BlackCat only used or collaborated with the threat actors deploying Trigona. A report by Arete confirmed that Trigona had been seen exploiting CVE-2021=40539 for initial access.

Impact and Tactics of Trigona

Once it takes hold of a target’s system and data, malefactors behind Trigona provide an authorization key for victims to register to the negotiation portal. Trigona published critical data stolen from victims, including documents and contracts on its leak site. The website had bidding options to acquire access to the leaked data and contained a countdown timer, which could have been used to place additional pressure on victims to pony up.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

Let's get started

First Name

Last Name

Phone Number

Buying Timeframe

halcyon.ai is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

I agree to receive other communications from halcyon.ai and acknowledge Halcyon's privacy policy.

You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow halcyon.ai to store and process the personal information submitted above to provide you the content requested.

Back

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.