Buzzing On Christmas Eve Trigona Ransomware In 3 Hours
Researchers discovered a cyberattack incident where Trigona ransomware was deployed within 3 hours of initial access. The intrusion began with the threat actor gaining access to an exposed RDP host using legitimate credentials for the default Administrator account. They deployed a toolkit including batch scripts and the SoftPerfect Netscan tool for network reconnaissance. The threat actor identified network shares explored documents and initiated lateral movement by establishing an RDP connection to a file server. Then they copied their toolkit to the server staged Rclone disabled Windows Defender and exfiltrated data to Mega. Then the actor accessed file share servers disabled Windows Defender and staged the ransomware payload on each of the hosts they had access to. After that the Trigona payload was executed propagating itself across the network via the SMB protocol.