Close this search box.

Hacktivist Group Disrupts Ransomware Actor—Could This Be the Future?

The author

On Oct. 17, a triumphant message suddenly appeared on the official dark web leak page of the Trigona ransomware group. Later copied to X (formerly Twitter) by a group calling itself the Ukrainian Cyber Alliance, it read as follows:

“Trigona is gone! The servers of the Trigona ransomware gang has been exfiltrated and wiped out.”

And just to rub in the disruption:

“Welcome to the world you created for others.”

Hacktivists in Action

For the Ukrainian Cyber Alliance—a group that claims to have devoted itself to “disrupting Russian criminal enterprises since 2014”—disrupting the Trigona ransomware was all in a good day’s work.

In case anyone doubted the Ukrainian group’s claims, a user called herm1t published a screenshot from what appeared to be Trigona’s collaboration channel on the Confluence platform. Ironically, access to that was reportedly gained by exploiting a vulnerability, CVE-2023-22515, the type of issue that normally aids ransomware.

Additional screenshots on Telegram channel RUH8 from September sent deeper still, suggesting that infrastructure such as backups had also been compromised. One report suggests the hacktivists even compromised the group’s Bitcoin wallets and source code.

In all likelihood, this means the Trigona ransomware is now unable to operate and will find it impossible to reconstitute its operation for future attacks. It’s also possible that the Ukrainian hacktivists will eventually recover decryption keys, potentially making it possible to unlock the data of at least some victims.

Succumbing to Hacktivists

Despite having attacked a wide range of organizations in the healthcare and technology sectors since its appearance in early 2022, Trigona isn’t all that well known. This isn’t surprising—very few ransomware groups stick around long enough to become household names.

Trigona is just another ransomware actor that emerged from somewhere (most likely the CryLock ransomware, which itself possibly emerged from something called Cryald as far back as 2014) and has now, hopefully, disappeared for good.

But if it is truly gone for good, what will mark Trigona out as a reference point for some time to come is the manner of its demise at the hands of hacktivists.

For a ransomware group to succumb to hacktivists is still a vanishingly rare event compared to, say, police action such as the notable takedown of the prodigious Hive group in early 2023.

There has been the occasional indication of this type of event, the best known of which was the 2022 leaking of thousands of the Conti group’s internal messages by a Ukrainian researcher angered at Russia’s invasion of the country.

Unfortunately, neither approach seems to be making much of an inroad into the wider activity of ransomware groups, which seem to sprout up more quickly than they could ever realistically be stopped. According to Chainalysis, which monitors the illicit crypto channels groups use to extract ransoms, payments to criminals were at least $449.1 million in the first half of 2023 alone.

Nevertheless, the apparent success of the hacktivist group Ukrainian Cyber Alliance suggests that its MO holds some potential. Although they can’t endorse actions that might breach strict legality, the authorities seem to sense this, which is why they’ve started offering large bounties for information relating to groups and their members.

While the geo-politics of Ukraine won’t motivate every hacktivist-in-the-making, perhaps money could become a more tempting incentive.

Sign Up For Our Newsletter

Don’t worry, we hate spam too!

Get The Latest On Ransomware Right In Your Inbox

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too

Is This Your Business?
Get In Touch

Contact Us To Sponsor Your Business Listing & Learn More About The Benfits.

Before You Go!
Sign up to stay up to date with everything ransomware

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too

JUST RELEASED: The 2024 State of Ransomware Survey is in.


Share via
Copy link
Powered by Social Snap