A group of cyber activists under the banner of the Ukrainian Cyber ​​Alliance hacked the servers of the Trigona extortionist gang and destroyed them by copying all available information. Ukrainian warriors cyber alliance The attacker is said to have stolen all data from their systems, including source code and database records that may contain decryption keys.

Trigona ransomware not working

Ukrainian Cyber ​​Alliance hackers gained access to the Trigona ransomware infrastructure using a generic exploit of CVE-2023-22515, a critical vulnerability that can be exploited remotely to escalate privileges in the datacenter and Confluence server.

This vulnerability has been exploited in zero-day attacks since September 14 by at least one threat group that Microsoft tracks as Storm-0062 (also known as DarkShadow and Oro0lxy).

The Ukrainian Cyber ​​Alliance, or UCA for short, first hacked the Trigona ransomware’s Confluence server about six days ago, establishing resilience and mapping the cybercriminal’s infrastructure in complete secrecy.

Following a UCA activist using the handle herm1t BleepingComputer, which published screenshots of the ransomware group’s internal support documentation, reported that the Trigona ransomware initially panicked and responded by changing its password and crashing its overall infrastructure.

But over the next week, activists managed to get all the information from the threat actor’s administration and victim panels, his blog and data leak site, as well as internal tools (Rocket.Chat, Jira and Confluence servers).

Activists do not know whether the information they shared contains decryption keys, but they said they would make them public if found. After collecting all available data on the ransomware gang, UCA activists removed their site, defaced it, and handed over the key to the site’s admin panel.