The landscape of cyber warfare witnessed a remarkable episode as the Ukrainian Cyber Alliance, a conglomerate of hacktivists, brought down the notorious Trigona ransomware gang. They not only hacked into the cybercriminal’s servers but also exfiltrated crucial data, thereby paralyzing Trigona’s operations.

The Surgical Strike: Exploitation and Exfiltration

Leveraging a known vulnerability in Confluence Data Center and Server—CVE-2023-22515—the Ukrainian Cyber Alliance infiltrated Trigona ransomware’s infrastructure. With meticulous planning, the hacktivist group mapped the entire network of the cybercriminals without raising any alarms.

An activist under the pseudonym ‘herm1t’ shared internal documents of Trigona, causing the ransomware group to momentarily panic. Nevertheless, over the ensuing week, the hacktivist group drained the data reservoirs of the cybercriminals, including their administration and victim panels, blog, data leak site, and essential internal tools like Rocket.Chat, Jira, and Confluence servers.

The Stolen Booty: What Was Exfiltrated?

The breadth of the stolen data was extensive. It included the developer environment, cryptocurrency hot wallets, source code, and database records. Although the hacktivists are uncertain whether the data contains decryption keys, they have pledged to release them if discovered.

Turning the Tables: Ukrainian Cyber Alliance

The Ukrainian Cyber Alliance has its roots in collective cyber activism that began around 2014 in response to Russian aggression. Over the years, it has matured into a formal non-governmental organization. Among its notable achievements are the hacking of the Russian Ministry of Defense and exposing Russian propaganda efforts.

Trigona Ransomware: A Brief Overview

Emerging under the ‘Trigona’ branding in late October of the previous year, the ransomware gang was actively compromising companies across diverse sectors, such as manufacturing, finance, and technology. Prior to this counteroffensive, Trigona was observed targeting Microsoft SQL servers using brute-force or dictionary attacks.

Aftermath and Implications

As a result of this counteroffensive, all Trigona ransomware public websites and services have gone offline. The Ukrainian Cyber Alliance claims to have retrieved backups containing hundreds of gigabytes of potentially stolen documents, substantially undermining Trigona’s capabilities.