Threat Actor Profile
Medium
Cybercriminal
Description
According to PCrisk, Trigona is ransomware that encrypts files and appends the ._locked extension to filenames. Also, it drops the how_to_decrypt.hta file that opens a ransom note. An example of how Trigona renames files: it renames 1.jpg to 1.jpg._locked, 2.png to 2.png._locked, and so forth.It embeds the encrypted decryption key, the campaign ID, and the victim ID in the encrypted files.
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'According to PCrisk, Trigona is ransomware that encrypts '
'files and appends the ._locked extension to filenames. Also, '
'it drops the how_to_decrypt.hta file that opens a ransom '
'note. An example of how Trigona renames files: it renames '
'1.jpg to 1.jpg._locked, 2.png to 2.png._locked, and so '
'forth.It embeds the encrypted decryption key, the campaign '
'ID, and the victim ID in the encrypted files.',
'firstseen': '2023-04-11T16:48:00+00:00',
'group': 'trigona',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2024-03-30T12:00:00+00:00',
'locations': [{'available': False,
'fqdn': '6n5tfadusp4sarzuxntz34q4ohspiaya2mc6aw6uhlusfqfsdomavyyd.onion',
'slug': 'http://6n5tfadusp4sarzuxntz34q4ohspiaya2mc6aw6uhlusfqfsdomavyyd.onion',
'title': 'Blog',
'type': 'DLS'},
{'available': False,
'fqdn': 'krsbhaxbki6jr4zvwblvkaqzjkircj7cxf46qt3na5o5sj2hpikbupqd.onion',
'slug': 'http://krsbhaxbki6jr4zvwblvkaqzjkircj7cxf46qt3na5o5sj2hpikbupqd.onion',
'title': 'Blog',
'type': 'DLS'},
{'available': False,
'fqdn': 'trigonax2zb3fw34rbaap4cqep76zofxs53zakrdgcxzq6xzt24l5lqd.onion',
'slug': 'http://trigonax2zb3fw34rbaap4cqep76zofxs53zakrdgcxzq6xzt24l5lqd.onion',
'title': 'Trigona is Gone',
'type': 'DLS'},
{'available': False,
'fqdn': '3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion',
'slug': 'http://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion/',
'title': 'Trigona is Gone',
'type': 'Chat'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': '6n5tfadusp4sarzuxntz34q4ohspiaya2mc6aw6uhlusfqfsdomavyyd.onion',
'slug': 'http://6n5tfadusp4sarzuxntz34q4ohspiaya2mc6aw6uhlusfqfsdomavyyd.onion',
'title': 'Blog',
'type': 'DLS'},
{'available': False,
'fqdn': 'krsbhaxbki6jr4zvwblvkaqzjkircj7cxf46qt3na5o5sj2hpikbupqd.onion',
'slug': 'http://krsbhaxbki6jr4zvwblvkaqzjkircj7cxf46qt3na5o5sj2hpikbupqd.onion',
'title': 'Blog',
'type': 'DLS'},
{'available': False,
'fqdn': 'trigonax2zb3fw34rbaap4cqep76zofxs53zakrdgcxzq6xzt24l5lqd.onion',
'slug': 'http://trigonax2zb3fw34rbaap4cqep76zofxs53zakrdgcxzq6xzt24l5lqd.onion',
'title': 'Trigona is Gone',
'type': 'DLS'},
{'available': False,
'fqdn': '3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion',
'slug': 'http://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion/',
'title': 'Trigona is Gone',
'type': 'Chat'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'ransomware_live_group': 'trigona',
'tools': {'CredentialTheft': ['Mimikatz'],
'DefenseEvasion': [],
'DiscoveryEnum': ['Advanced Port Scanner',
'SoftPerfect NetScan'],
'Exfiltration': ['MEGA', 'RClone'],
'LOLBAS': [],
'Networking': [],
'Offsec': ['Cobalt Strike'],
'RMM-Tools': ['AnyDesk',
'LogMeIn',
'ScreenConnect',
'Splashtop',
'TeamViewer']},
'url': 'https://www.ransomware.live/group/trigona',
'victims': 49,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': ['Mimikatz'],
'DefenseEvasion': [],
'DiscoveryEnum': ['Advanced Port Scanner', 'SoftPerfect NetScan'],
'Exfiltration': ['MEGA', 'RClone'],
'LOLBAS': [],
'Networking': [],
'Offsec': ['Cobalt Strike'],
'RMM-Tools': ['AnyDesk',
'LogMeIn',
'ScreenConnect',
'Splashtop',
'TeamViewer']},
'ttps': [],
'url': 'https://www.ransomware.live/group/trigona',
'victims': 49,
'vulnerabilities': []}