Trigona

The operators of the Trigona ransomware, which was first identified in October 2022, are known for only accepting Monero cryptocurrency payments from their victims. The ransomware encrypts all files on victims' devices except those in certain directories, including the Windows and Program Files directories. Encrypted files are renamed with the ._locked extension, and each locked file contains the encrypted decryption key, campaign ID, and victim ID (the company name).

The Trigona ransomware gang has been involved in numerous attacks, with at least 190 submissions to the ID Ransomware platform this year alone.