On Oct. 17, a triumphant message suddenly appeared on the official dark web leak page of the Trigona ransomware group. Later copied to X (formerly Twitter) by a group calling itself the Ukrainian Cyber Alliance, it read as follows:
“Trigona is gone! The servers of the Trigona ransomware gang has been exfiltrated and wiped out.”
And just to rub in the disruption:
“Welcome to the world you created for others.”
Hacktivists in Action
For the Ukrainian Cyber Alliance—a group that claims to have devoted itself to “disrupting Russian criminal enterprises since 2014”—disrupting the Trigona ransomware was all in a good day’s work.
In case anyone doubted the Ukrainian group’s claims, a user called herm1t published a screenshot from what appeared to be Trigona’s collaboration channel on the Confluence platform. Ironically, access to that was reportedly gained by exploiting a vulnerability, CVE-2023-22515, the type of issue that normally aids ransomware.
Additional screenshots on Telegram channel RUH8 from September sent deeper still, suggesting that infrastructure such as backups had also been compromised. One report suggests the hacktivists even compromised the group’s Bitcoin wallets and source code.
In all likelihood, this means the Trigona ransomware is now unable to operate and will find it impossible to reconstitute its operation for future attacks. It’s also possible that the Ukrainian hacktivists will eventually recover decryption keys, potentially making it possible to unlock the data of at least some victims.
Succumbing to Hacktivists
Despite having attacked a wide range of organizations in the healthcare and technology sectors since its appearance in early 2022, Trigona isn’t all that well known. This isn’t surprising—very few ransomware groups stick around long enough to become household names.
Trigona is just another ransomware actor that emerged from somewhere (most likely the CryLock ransomware, which itself possibly emerged from something called Cryald as far back as 2014) and has now, hopefully, disappeared for good.
But if it is truly gone for good, what will mark Trigona out as a reference point for some time to come is the manner of its demise at the hands of hacktivists.
For a ransomware group to succumb to hacktivists is still a vanishingly rare event compared to, say, police action such as the notable takedown of the prodigious Hive group in early 2023.
There has been the occasional indication of this type of event, the best known of which was the 2022 leaking of thousands of the Conti group’s internal messages by a Ukrainian researcher angered at Russia’s invasion of the country.
Unfortunately, neither approach seems to be making much of an inroad into the wider activity of ransomware groups, which seem to sprout up more quickly than they could ever realistically be stopped. According to Chainalysis, which monitors the illicit crypto channels groups use to extract ransoms, payments to criminals were at least $449.1 million in the first half of 2023 alone.
Nevertheless, the apparent success of the hacktivist group Ukrainian Cyber Alliance suggests that its MO holds some potential. Although they can’t endorse actions that might breach strict legality, the authorities seem to sense this, which is why they’ve started offering large bounties for information relating to groups and their members.
While the geo-politics of Ukraine won’t motivate every hacktivist-in-the-making, perhaps money could become a more tempting incentive.