🎯Basically, Trigona ransomware now uses a special tool to steal data more quickly from infected computers.
What Happened
Recently, Trigona ransomware has evolved its tactics by employing a custom command-line tool for data exfiltration. This tool, named uploader_client.exe, was observed in attacks attributed to a gang affiliate. It was specifically designed to bypass commonly used tools like Rclone and MegaSync, which often trigger security alerts.
How It Works
The custom tool enhances the speed and efficiency of data theft through several key features:
- Simultaneous Connections: It supports five connections per file, allowing for faster uploads.
- Connection Rotation: After transferring 2GB of data, it rotates TCP connections to evade detection.
- Selective Exfiltration: The tool can choose which file types to exfiltrate, avoiding large, less valuable files.
- Authentication Key: Access to stolen data is restricted with an authentication key, making it harder for outsiders to access the data.
Who's Being Targeted
The recent attacks have targeted organizations that store sensitive documents, such as invoices and PDFs on their network drives. This focus on high-value data indicates a strategic approach to maximize the impact of their ransomware operations.
Signs of Infection
Victims of Trigona ransomware may notice unusual network activity, especially involving the uploader_client.exe tool. Other indicators include:
Unauthorized Access
Credential Theft
How to Protect Yourself
Organizations should take proactive measures to defend against Trigona ransomware:
Detection
- 1.Monitor Network Traffic: Keep an eye out for unusual data transfers or connections.
- 2.Update Security Tools: Ensure that all security software is up to date to detect new threats.
Removal
- 3.Educate Employees: Train staff on recognizing phishing attempts and other social engineering tactics.
- 4.Backup Data: Regularly back up critical data to recover quickly in case of an attack.
Conclusion
The emergence of a custom exfiltration tool in Trigona ransomware attacks underscores the sophistication of modern cyber threats. Organizations must remain vigilant and enhance their security measures to combat these evolving tactics.
🔒 Pro insight: The use of a custom exfiltration tool indicates an advanced threat actor adapting to evade detection, highlighting the need for continuous security updates.
.webp)
