Trigona Ransomware Group Develops Custom Data Exfiltration Tool
The Trigona ransomware group has developed a proprietary data exfiltration tool, enhancing their precision and control. This evolution indicates a significant shift in ransomware tactics, with implications for cybersecurity defenses.
Theia Market Signal Identification - AI Assisted
The Trigona ransomware group, active since late 2022 and operating under a Ransomware-as-a-Service model managed by Rhantus, has created a custom data exfiltration tool to improve data theft operations. Symantec's Threat Hunter Team identified this development in March 2026, highlighting a trend of ransomware affiliates investing in proprietary malware rather than relying on public tools like Rclone or MegaSync.
The attackers implemented HRSword, a modified kernel driver, alongside tools like PCHunter and Mimikatz to disable security measures and harvest credentials. This indicates a strategic shift in ransomware operations, suggesting that threat actors may be approaching cybercrime with structured research and development practices similar to legitimate software projects. Organizations must enhance monitoring of remote access tools and kernel-level driver activities to bolster defenses.
Comments