cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Hackers breach Microsoft SQL servers to deploy Trigona ransomware

Hackers are distributing Trigona ransomware via internet-exposed Microsoft SQL (MS-SQL) servers to collect system information and gain additional system control.

user icon Daniel Croft
Thu, 20 Apr 2023
Hackers breach Microsoft SQL servers to deploy Trigona ransomware
expand image

The attacks, which were identified by South Korean cyber security organisation AhnLab, discovered that threat actors were using brute-force or dictionary attacks with obtained or guessed credentials to infiltrate externally accessible MS-SQL servers.

The attacker then uses CLR Shell malware to collect system info, alter the configuration of the compromised account, or gain additional privileges using a vulnerability in the Windows Secondary Logon Service. The Trigona malware is then installed.

“It is presumed that the threat actor first installs the CLR Shell malware before installing Trigona,” said ASEC.


“Although multiple malware logs were confirmed together, the basis for this assumption comes from the time-based similarity with the timing of the ransomware attacks and the fact that it was present in most of the systems where Trigona attacks were carried out.

“In addition, this CLR Shell malware is confirmed to have a routine that exploits privilege escalation vulnerabilities, which is believed to be due to the high privileges required by Trigona as it operates as a service.”

Trigona is a form of ransomware that encrypts files with a secure AES algorithm and hides their extensions, instead showing files with a “._locked” extension. The criminal group also claims to steal data during the attacks.

In addition to files being encrypted, victims receive a ransom note titled “how_to_decrypte.hta”, which tells them to install a Tor browser and contact an address on the dark web to begin the decryption process.

Those who pay the ransom then receive a link to a decryptor and a private decryption key in a keys.dat file, allowing the group to decrypt individual files and full folders.

Trigona ransomware was first spotted by MalwareHunterTeam in October last year. The Trigona team has been responsible for a large number of attacks, with at least 190 ID Ransomware platform submissions since the beginning of the year.

The group has been known to exclusively accept ransomware payments in the Monero cryptocurrency. It is currently unknown how much the group demands.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.