Trigona ransomware has been active since at least June 2022, targeting MSSQL servers. Mimic ransomware was first identified in June 2022, with a January 2024 attack by a Turkish-speaking threat actor on poorly managed MSSQL servers. Researchers believe the same Trigona threat actor is behind the Mimic ransomware attacks due to similarities in the targets, use of BCP for installation, and commonalities in the attack methods.
Trigona ransomware, developed in Delphi, uses RSA and AES encryption algorithms. It has previously exploited vulnerabilities like a ManageEngine vulnerability (CVE-2021-40539) and targeted poorly managed MSSQL servers. The recent Trigona attack was linked to the same threat actor due to the email address in the ransom note.
Mimic ransomware is known for using a file search tool called Everything to speed up file encryption and has copied some features of the Conti ransomware. Itβs packaged as a 7z SFX executable containing the Everything tool and other malware files. The recent Mimic ransomware attack differed in the threat actor's email address from previous instances but was linked to the Trigona actor due to shared tactics and tools.
The attack methodology involves targeting poorly managed MS-SQL servers with simple credentials, making them vulnerable to brute force or dictionary attacks. The BCP utility is misused to create local files from malware stored in databases. Additionally, the Trigona actor employs methods like using Mimikatz for stealing account credentials, installing AnyDesk for remote system control, and using malware that functions even in safe mode.
Researchers observed two additional malware strains in these attacks: a launcher that operates in safe mode and a port forwarder that enables RDP connections. The launcher malware facilitates the execution of ransomware, and the port forwarder aids in establishing remote control over the infected system.