The Trigona Ransomware Gang's Attack on Unique Imaging

The Trigona ransomware gang has attacked Unique Imaging. Unique Imaging is an MRI centre headquartered in Aventura, Florida. Trigona posted Unique Imaging to its data leak site on September 5th but provided no further details.

The Trigona ransomware is a relatively recent addition to the ransomware landscape, with its activities dating back to approximately late October 2022. However, it's worth noting that traces of this ransomware existed as early as June 2022. Since its emergence, the operators behind Trigona have displayed a high level of activity, consistently updating their ransomware binaries.

Expansion and Technical Evolution

In April 2023, Trigona expanded its scope to target compromised MSSQL servers by illicitly obtaining credentials through brute force methods. Additionally, in May 2023, we came across a Linux variant of the Trigona ransomware, which displayed similarities to its Windows counterpart.

Connections to Other Ransomware Groups

The threat actors associated with Trigona are purportedly the same group responsible for the CryLock ransomware. This connection is inferred from resemblances in their tools, tactics, and procedures (TTPs). Furthermore, there have been associations made between Trigona and the ALPHV group, also known as BlackCat. However, it is our belief that any parallels between Trigona and BlackCat/ALPHV ransomware are largely circumstantial. One plausible scenario is that BlackCat/ALPHV collaborated with the threat actors deploying Trigona but may not have been directly involved in its development and operational activities.