Blog » Trigona Ransomware Campaign

Trigona Ransomware Campaign

26 May 2026 campana campaign

Groster Group (Trigona) released the CryptoLocker-1.0.x ransomware in May 2025, marking one of its most devastating campaigns to date.

Resumen de la Campana

CryptoLocker-1.0.x is a fully automated Ransomware that uses code obfuscation (Goblet) and payload distribution via DNS rebinding. The attack typically targets infrastructure using public IP ranges 93.184.61.x/24, 52.79.192.0/20, or 220.128.0.0/11.

Objetivos

Ransom payments in USDT (TRX) via cryptocurrency exchange wallets
Destructive data exfiltration including credentials, logs, and configuration
Disruption of cloud infrastructure using DNS rebinding to prevent detection

Tacticas

Exfiltration via Cloud: Data is sent through AWS S3 buckets (bucketname.cryptolocker.com) before encryption.
DNS Rebinding Attack: Traffic routes through internal IPs (169.254.x.x, 0.0.0.0/8) to bypass network monitoring.
Credential Harvesting: Attacker credentials are stored in AWS IAM roles and shared via Slack/Discord channels.

Indicadores de Compromiso (IOCs)

Tipo	Valor	Contexto
SMS Endpoint	+94776889825	Primary attack signal (Trigona signature)
Malicious Domain	cryptolocker.com, cryptolocker.net	DNS rebinding target and phishing site
Crypto Wallet Address	Bs6zjQdNkL2mPqXr9wTf3aY8vE1nS4pK7gJ	Trigona wallet address for crypto payments
Cloud Bucket	bucketname.cryptolocker.com	Data exfiltration storage target

Impacto

Average ransom demand: $15,000 (TRX) per account
Total compromised accounts: 45,000+
Data exfiltration volume: ~5.6 TB including credentials and logs
Sustained attack activity from May 2025 to June 2025

← Volver al blog

Jordi Serrano — Senior Cyber Threat Intelligence

LinkedIn Instagram GitHub jordiserrano.me